Closed
Bug 1412151
Opened 7 years ago
Closed 7 years ago
Allow contentaccessible=yes for locale manifest
Categories
(Core :: XPCOM, enhancement)
Core
XPCOM
Tracking
()
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox58 | --- | affected |
People
(Reporter: Mardak, Unassigned)
References
Details
In bug 1411452, we're trying to package .js files that contain localized values to allow content-privileged about:home/newtab avoid waiting for messages from main containing those values. However, if we package these files with a locale manifest, we run into NS_ERROR_DOM_BAD_URI: <script> source URI is not allowed in this document: “chrome://activity-stream/locale/activity-stream-initial-state.js”. The browser's locale is already exposed via navigator.language, so exposing values that could be used to infer the locale shouldn't increase fingerprintability.
Reporter | ||
Comment 1•7 years ago
|
||
<Mardak> would it be wrong to allow locale manifest entries contentaccessible=yes (instead of only content entries)? <billm> would that expose the browser's locale to web pages? maybe that's already exposed? <Mardak> ah i suppose most likely the content of the file would have locale-specific values, so one could figure out the packaged locale, yes. it does seem to be exposed via navigator.language <billm> well, maybe it's okay then. the main thing we want is to avoid fingerprinting.
Comment 2•7 years ago
|
||
There's work to avoid fingerprinting through locale data, those are hooked up to the tracker in bug 1329996. I also think that this is generally tricky from a security perspective, as it could, in particular on localized builds, give quite some insights into the exact build version someone has installed.
Comment 3•7 years ago
|
||
Just to be clear, the set of locales exposed via navigator.language is not the same as languages used by the browser UI. We separate those two groups and allow users to select which locales they use Firefox in, and which locales they broadcast to the web. The latter is exposed in `navigator.languages` and via Accepted-Locales headers. The former is not accessible from the Web.
Reporter | ||
Comment 4•7 years ago
|
||
Sounds like there would be security and privacy issues of the approach, so I'll just close this.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•