On Sat, Oct 29, 2016 at 7:21 AM, Kohei Yoshino <kohei.yosh...@gmail.com> wrote:
> So the Battery Status API has just been removed, I think now is a good > time to think about navigator.buildID again, which bug [1] has been > inactive for a whole year. > > 4 years ago, Firefox 16 removed a minor version number from the user agent > string to mitigate fingerprinting [2][3]. However, the build ID unique to > each minor version is still exposed via the non-standard navigator.buildID > property. Since trackers can easily retrieve build IDs from Mozilla Wiki > [4] to map them to minor version numbers, the fix in Firefox 16 was totally > meaningless. > > There were some legitimate use cases on Mozilla properties, for example, > warning visitors who are using an outdated Firefox, but those usages have > been replaced with the UITour API [5]. A comment in the bug [1] explains > that Netflix was also using the build ID to detect a specific playback bug > in Firefox, but it's probably not longer relevant. Given that, I believe > the buildID property should be removed, or at least made chrome-only. > I concur, we shouldn't leak such fine-grained information about the UA to content. For future discussion, my Nightly uses User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0 but navigator.buildID is 20161015030203, revealing much more than 52.0. As for chrome-only -- I wonder how many consumers there are. about:support, perhaps? Nick _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
