FFXIVQuickLauncher icon indicating copy to clipboard operation
FFXIVQuickLauncher copied to clipboard

Published 20 hours ago verified publisher icon goatcorp

Update headers for latest boot version

Open NotNite opened this issue 7 months ago • 4 comments

Boot is now using WebView2, so the headers are different. Chrome 135, baby! Did not check patch-dl and friends as those aren't done through the HTML part. Tested with mitmproxy. Other observed things:

  • User-Agent now depends on what's installed on the system, I had 135, this might differ for other people. Don't think it's a huge deal as long as it's new enough to not be suspicious.
  • UA computer ID is different, not sure when this changed and also not a big issue (as long as it's consistent between logins) but still something to note.
  • Accept-Language was always ja for me, not sure why. That's written into config with the normal generated string, and AFAICT that code path should work, but something must've written ja into my launcher config at some point and I never noticed.
  • I do not know what the numbers mean in Accept but I hope to god that's not something specific with my PC.
  • Region should probably stop being hardcoded lol.

NotNite avatar Apr 22 '25 13:04 NotNite

UA computer ID is different, not sure when this changed and also not a big issue (as long as it's consistent between logins) but still something to note.

I.. actually see this as a bit of a yellow flag.. as if SE reset everyones computer ID, then in their database, if they simply look for logins with a ID with timestamps before/after the change, they have a list of people to be suspect at. I believe the cautious approach is to reset (and keep consistent) in-line with the launcher.

t8d7 avatar Apr 22 '25 14:04 t8d7

Some context: There seems to be a fallback if WebView2 doesn't work (dunno if IE or CEF), theoretically this isn't required but it'd be nice to merge for consistency.

actually see this as a bit of a yellow flag

I agree, it should be corrected (probably), but to SE it just looks like two PCs. This also probably wasn't introduced with this patch, just something I observed today. Something to look at in the future, but it's not high priority for the moment. (Also, changing the algorithm that derives the computer ID might cause password resets for people without 2FA, so maybe it's best it stays consistently inconsistent?)

NotNite avatar Apr 22 '25 15:04 NotNite

Fair, especially on the timing of the reset.

Also, changing the algorithm that derives the computer ID might cause password resets for people without 2FA

That'd normally make since, except for the scenario where they officially (essentially) reset everyones computer ID, so for normal users, they see both old and new 'computers'. Considering they did it officially, it's safe to assume they halted/changed the automatic password reset system because of the change. If that holds, then us rotating IDs should be perfectly fine (if staggered, if all of XIVLauncher users suddenly change ID's, then that can also be tracked in a database (would be an annoying sql query to write though)

t8d7 avatar Apr 22 '25 15:04 t8d7

except for the scenario where they officially (essentially) reset everyones computer ID, so for normal users, they see both old and new 'computers'.

It didn't as far as I can tell. Nite's post is a bit ambiguous on this but I confirmed with them, they were referring to the ID XL uses being different from the one the official launcher uses which is "intentional". But yes, I agree in principle.

goaaats avatar Apr 22 '25 18:04 goaaats