New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 860229 link

Starred by 15 users

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android , iOS , Chrome
Pri: 1
Type: Bug

Blocking:
issue 494452
issue 527925



Sign in to add a comment

Remove OS build number from user-agent string

Project Member Reported by tnagel@chromium.org, Jul 4

Issue description

Remove the OS build number from the user-agent string to prevent abuse of that information such as exploit targeting and fingerprinting and to bring Chrome closer in line with RFC 7231 section 5.5.3.

https://www.chromestatus.com/feature/4558585463832576
 
Blocking: 527925
Sample user-agent strings from the six major platforms:

Android:
Mozilla/5.0 (Linux; Android 8.1.0; Pixel XL Build/OPM4.171019.021.P1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36

Chrome OS:
Mozilla/5.0 (X11; CrOS x86_64 10575.58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

iOS:
Mozilla/5.0 (iPhone; CPU iPhone OS 11_4 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/67.0.3396.69 Mobile/15F79 Safari/604.1

Linux:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36

Mac:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Windows:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Of these six, Android, Chrome OS and iOS user-agent strings contain a build number which should be removed.
Cc: torne@chromium.org
Cc: eugene...@chromium.org danyao@chromium.org
+eugenebut and danyao for iOS user agent in case there are any compat issues we know about. 
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 13

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ca28ae7f2f9fedc710ef4de09af32c17c57786ef

commit ca28ae7f2f9fedc710ef4de09af32c17c57786ef
Author: Thiemo Nagel <tnagel@chromium.org>
Date: Fri Jul 13 14:24:23 2018

Freeze iOS kernel version in user-agent

Freeze the iOS kernel version in the user-agent string to be "15E148"
for iOS 11.3 and later for consistency with Safari and to reduce the
fingerprinting surface.

Likewise, reduce OS version granularity from three numbers to two
numbers for iOS 11.3 and later.

BUG=860229

Cq-Include-Trybots: luci.chromium.try:ios-simulator-full-configs;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I0165ba4ae9dfd51308e26ebecba1a5dfba3df398
Reviewed-on: https://chromium-review.googlesource.com/1126105
Commit-Queue: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Eugene But <eugenebut@chromium.org>
Reviewed-by: Justin Cohen <justincohen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#574910}
[modify] https://crrev.com/ca28ae7f2f9fedc710ef4de09af32c17c57786ef/ios/web/public/user_agent.mm

Cc: mgalonsky@chromium.org
Cc: -mgalonsky@chromium.org tnagel@chromium.org
Owner: mgalonsky@chromium.org
We should be sure to check that the changes are also reflected in:
* navigator.appVersion
* navigator.userAgent
I just tested User-Agent header and navigator.{appVersion,userAgent} on a recent iOS build. I got 15E148 and 11_4 for iOS 11.4.1 --> looks good.
Project Member

Comment 10 by bugdroid1@chromium.org, Aug 10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/15417f9fea50700ac8a02b77d554aeb1f3d220c8

commit 15417f9fea50700ac8a02b77d554aeb1f3d220c8
Author: Melissa Galonsky <mgalonsky@chromium.org>
Date: Fri Aug 10 16:03:35 2018

Remove the build id from the Chrome Android user agent for all non-Web View cases.

Per crbug.com/860229, removes the Android build number from the Android user agent, but creates a
Finch experiment that allows the change to be re-enabled.  Does not apply the change to Android
Web View as mandated by the Android Compatibility Definition Document.


Bug: 860229
Cq-Include-Trybots: luci.chromium.try:ios-simulator-full-configs;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I57c24994958d840c80600356f12b2ce20c8a9f74
Reviewed-on: https://chromium-review.googlesource.com/1157225
Commit-Queue: Melissa Galonsky <mgalonsky@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Luke Halliwell <halliwell@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Reviewed-by: Ryo Hashimoto <hashimoto@chromium.org>
Reviewed-by: Richard Coles <torne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582186}
[modify] https://crrev.com/15417f9fea50700ac8a02b77d554aeb1f3d220c8/android_webview/common/aw_content_client.cc
[modify] https://crrev.com/15417f9fea50700ac8a02b77d554aeb1f3d220c8/chrome/browser/chromeos/drive/drive_integration_service.cc
[modify] https://crrev.com/15417f9fea50700ac8a02b77d554aeb1f3d220c8/chrome/browser/net/default_network_context_params.cc
[modify] https://crrev.com/15417f9fea50700ac8a02b77d554aeb1f3d220c8/chromecast/common/cast_content_client.cc
[modify] https://crrev.com/15417f9fea50700ac8a02b77d554aeb1f3d220c8/content/common/user_agent.cc
[modify] https://crrev.com/15417f9fea50700ac8a02b77d554aeb1f3d220c8/content/public/common/user_agent.h

Verified User-Agent header and navigator.{appVersion,userAgent} on clank canary.
Cc: halliwell@chromium.org
And this is a sample UA string from Fuchsia:
mozilla/5.0 (x11; fuchsia x86_64) applewebkit/537.36 (khtml, like gecko) chrome/71.0.3557.0 safari/537.36

(All lowercase because it was manually copied from test hardware. Thank you Wez!)
Components: -Privacy Privacy>Fingerprinting
Cc: pkasting@chromium.org tommi@chromium.org
 Issue 348418  has been merged into this issue.
This is a duplicate of bug # 494452 which I reported back in 2015
Blocking: 494452
Yes, it's overlapping with your bug. (The issue at hand covers only the build number, and it's not limited to Android.) I've made it a blocker for the bug you filed. Thanks for your report and your interest.

Sign in to add a comment