Should privacy.spoof_english be added? [A: nope, it is a runtime pref and not everyone uses en-US]

[huubert]

Hi,

When privacy.resistFingerprinting = true, a new option becomes available in:
General > Choose your preferred language for displaying pages > Choose > Request English versions of web pages for enhanced privacy

This option changes three config settings:

• intl.accept_languages = en-US, en
• javascript.use_us_english_locale = true
• privacy.spoof_english = 2

However, it seems user.js only considers the first two config settings.
Shouldn't privacy.spoof_english also be added?

[Thorin-Oakenpants]

spoof_english (if prompted and accepted) does two things

• it sets the languages to en-US,en = which we already do
• it enforces en-US locale for formatting = which we already do

spoof_english is redundant

[huubert]

If privacy.spoof_english isn't used, the GUI option ("Request English versions of web pages for enhanced privacy") will display as unchecked though, so it's not exactly redundant, it does something.

[Thorin-Oakenpants]

It doesn't matter about the UI. - RFP doesn't have any UI presence. It is redundant from a functional FPing standpoint which is all that matters

[huubert]

Yes, it matters. If you have:

• intl.accept_languages = en-US, en
• javascript.use_us_english_locale = true
• privacy.spoof_english = 0 (default)

...and you open that menu option, even if you click Cancel, then javascript.use_us_english_locale will be removed. So it´s definitely a good idea to use the 3 settings and not just 2.

[Thorin-Oakenpants]

There is no restriction on users changing settings or prefs per session. A user.js sets (resets) them on a session start. This is no different to a Tor Browser user doing the exact same thing

It is also problematic to set it and expose spoof_english via prefs, or it was and maybe needs revisiting

even if you click Cancel, then javascript.use_us_english_locale will be removed

I am using an en-US build. RFP is enabled but does not trigger any spoof_prompt because my build starts with en-* - so that has nevr been changed from default

• this setting only shows if RFP is enabled (AFAICT)
• RFP is on, prefs are set to use en-US etc
• I went to settings > language > choose > checked the box but clicked cancel
  • the box was unchecked because we were never asked to set spoof_english because we are an en* build
  • javascript.use_us_english_locale was NOT reset
• I went to settings > language > choose > checked the box AND CONFIRMED it
  • javascript.use_us_english_locale was NOT reset
• THEN i went back and unchecked the box
  • and that is when the pref was reset (and when ticking and confirming it puts it back)

Non RFP users we don't care. For RFP users, on an en* build at least, you have to make at least two changes. On non-en builds I will have to test, but I suspect the same applies, as the languages have already been changed to reflect en* and you will not be prompted

in other words you are talking very edge case

the checkbox

• unchecked = user_pref("privacy.spoof_english", 1);
• checked = user_pref("privacy.spoof_english", 2);

So it´s definitely a good idea to use the 3 settings and not just 2

This was all discussed four+ years ago

🔻 FF59

• 1039069 warn when language prefs are set to non en-US
  • privacy.spoof_english (pref is used internally AFAICT, we should not meddle with it)
  • at this stage the pref has not been added to the user.js, but the bugzilla has

also relevant is 1447592 FF61+ Don't reset privacy.spoof_english when RFP is flipped to false

• this was most likely why we didn't want to add the pref in FF59

---

Also, I expect use_us_english to be deprecated soon and RFP to just automatically apply the correct locale for any language used (and the checkbox option to be removed), and for spoof_english to simply become a prompt to use the most common language

I am not convinced in any way that we need to add spoof_english and complicate matters

[Thorin-Oakenpants]

re-opening to satisfy my curiosity and to remind me to check a few things

[fxbrit]

in an en-gb release, fresh profile, I enabled RFP and then set spoof_english to 2. TZP reports:

languages | language | languages[0] | en-US,en | en-US | en-US
resolvedOptions | en-US | en-US | en-US | en-US | en-US | en-US | en-US | not supported

javascript.use_us_english_locale and intl.accept_languages were both flipped to their AF value. wouldn't this allow you to replace two prefs with one in theory?

got the same result with a de-DE release, which surprise me cause the UI of the browser is german but all checks on TZP are fine. also, when enabling RFP in this german release I was prompted to change my language to english immediately.

edit: I tested everything manually with about:config changes. I should try with a user.js.
edit2: for some reason when set through a user.js file spoof_english fails to..spoof. javascript.use_us_english_locale and intl.accept_languages are unflipped. funny thing is that if I go to about:config and re-apply both RFP and spoof_english I effectively get all en-US on TZP while keeping a german UI.

ok the current setup is the only one that works in the context of a user.js, I can use whatever UI I want without leaking.

[Thorin-Oakenpants]

use this page - https://arkenfox.github.io/TZP/tests/formatting.html - it's locale/language only and ignores timezones

no, we need to set the two prefs, because

• spoof_english doesn't trigger with en-GB, en-CA etc, as it only checks for the first two chars being en
• it also fails to trigger if you change your languages from en-US, en to say en, en-US

When RFP is enabled the pref is reflected in the UI settings (otherwise the UI bit does not show)

spoof_english is meant to be runtime, it does things when triggered, such as on first HTTP* load. There's also something going on with when you flip RFP off (or maybe I am thinking that when RFP is flipped off, a patch was added to not reset spoof_english? - I can't remember) - anyway it's best left as runtime (see you already had issues trying to use it via user.js)

On Tor Browser en-US (they only put out the one en release), they do not set the pref value, because it is at default (in case people make changes) and the UI shows unchecked, even though the user is protected. Checking it does nothing.

Sure, if we set all three prefs from user.js (assuming spoof_english sticks), then big fucking deal. TB don't care about it. And I also don't know of the ramifications/side-effects and doing this and not letting runtime fully run it's course

In a non en* browser build, if the comments out the two language prefs, but RFP is on, then he will still get a prompt to spoof_english (assuming it is at default) - I want to runtime to happen so the user gets to decide

[Thorin-Oakenpants]

tl;dr - NO! SPOOF ENGLISH SHOULD BE LEFT ALONE

[fxbrit]

I'm sold on the final result but one more thing.

spoof_english doesn't trigger with en-GB, en-CA etc, as it only checks for the first two chars being en

but me said:

in an en-gb release, fresh profile, I enabled RFP and then set spoof_english to 2.

and as you can see everything was shown as en-US in TZP. I would have expected en tbh.