Bug 1894429 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Chris Peterson [:cpeterson]

on 2024-04-30 23:03:12 PDT

In bug 1865766, I tried to freeze the Android OS version exposed in Firefox Android's UA string at "Android 10", to reduce fingerprintable entropy passively exposed to the web and to match Chrome. As part of Chrome’s UA reduction, Google froze the Android version exposed in Chrome’s UA string at "Android 10" (in Chrome 110, May 2023): https://www.chromium.org/updates/ua-reduction

However, we ran into a webcompat problem (bug 1876742) where Firefox users couldn't log into some work websites because Duo authentication's "Trusted Endpoint" OS version checks blocked users with Android versions < 11. Enterprise admins can configure Duo authentication to only permit client OS versions they consider secure enough to log into their work websites. This problem didn't affect Chrome because Duo can use Chrome's User-Agent Client Hints API to query the real OS version. Adding Firefox support for User-Agent Client Hints API is bug 1750143.

In this bug, I propose we try freezing the UA string at "Android 10" for Android versions <= 10. Duo's "Trusted Endpoint" OS version checks should still work because websites will see real version numbers for Android versions >= 11, whereas Firefox on Android versions 5.0, 5.1, 6.0, 7.0, 7.1, 8.0, 8.1, and 9 will pretend to be "Android 10". This change already rode the trains when I tried to freeze the Android version for all versions (in bug 1865766) and the only webcompat problem we found only affected users with Android versions >= 11.

Example UA strings:

BEFORE: `Mozilla/5.0 (Android 5.0; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
BEFORE: `Mozilla/5.0 (Android 5.1; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
BEFORE: `Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
AFTER: `Mozilla/5.0 (Android 10; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`

Revision 1 by

Chris Peterson [:cpeterson]

on 2024-04-30 23:08:56 PDT

In bug 1865766, I tried to freeze the Android OS version exposed in Firefox Android's UA string at "Android 10", to reduce fingerprintable entropy passively exposed to the web and to match Chrome. As part of Chrome’s UA reduction, Google froze the Android version exposed in Chrome’s UA string at "Android 10" (in Chrome 110, May 2023): https://www.chromium.org/updates/ua-reduction

However, we ran into a webcompat problem (bug 1876742) where Firefox users couldn't log into some work websites because Duo authentication's "Trusted Endpoint" OS version checks blocked users with Android versions < 11. Enterprise admins can configure Duo authentication to only permit client OS versions they consider secure enough to log into their work websites. This problem didn't affect Chrome because Duo can use Chrome's User-Agent Client Hints API to query the real OS version. Adding Firefox support for User-Agent Client Hints API is bug 1750143.

In this bug, I propose we try freezing the UA string at "Android 10" for Android versions <= 10. Duo's "Trusted Endpoint" OS version checks should still work because websites will see real version numbers for Android versions >= 11, whereas Firefox on Android versions 5.0, 5.1, 6.0, 7.0, 7.1, 8.0, 8.1, and 9 will pretend to be "Android 10". This change already rode the trains when I tried to freeze the Android version for all versions (in bug 1865766) and the only webcompat problem we found only affected users with Android versions >= 11 and will benefit from reduced fingerprintable entropy.

Example UA strings:

BEFORE: `Mozilla/5.0 (Android 5.0; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
BEFORE: `Mozilla/5.0 (Android 5.1; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
BEFORE: `Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
AFTER: `Mozilla/5.0 (Android 10; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`

Revision 2 by

Chris Peterson [:cpeterson]

on 2024-05-01 22:50:09 PDT

In bug 1865766, I tried to freeze the Android OS version exposed in Firefox Android's UA string at "Android 10", to reduce fingerprintable user information passively exposed to the web and to match Chrome. As part of Chrome’s UA reduction, Google froze the Android version exposed in Chrome’s UA string at "Android 10" (in Chrome 110, May 2023): https://www.chromium.org/updates/ua-reduction

However, we ran into a webcompat problem (bug 1876742) where Firefox users couldn't log into some work websites because Duo authentication's "Trusted Endpoint" OS version checks blocked users with Android versions < 11. Enterprise admins can configure Duo authentication to only permit client OS versions they consider secure enough to log into their work websites. This problem didn't affect Chrome because Duo can use Chrome's User-Agent Client Hints API to query the real OS version. Adding Firefox support for User-Agent Client Hints API is bug 1750143.

In this bug, I propose we try freezing the UA string at "Android 10" for Android versions <= 10. Duo's "Trusted Endpoint" OS version checks should still work because websites will see real version numbers for Android versions >= 11, whereas Firefox on Android versions 5.0, 5.1, 6.0, 7.0, 7.1, 8.0, 8.1, and 9 will pretend to be "Android 10". This change already rode the trains when I tried to freeze the Android version for all versions (in bug 1865766) and the only webcompat problem we found only affected users with Android versions >= 11 and will benefit from reduced fingerprintable information.

Example UA strings:

BEFORE: `Mozilla/5.0 (Android 5.0; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
BEFORE: `Mozilla/5.0 (Android 5.1; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
BEFORE: `Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`
AFTER: `Mozilla/5.0 (Android 10; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0`

Back to Bug 1894429 Comment 0