Fails to spoof userAgent for [aggressive] iframe navigator.userAgent and [aggressive] iframe navigator.appVersion

[rootkea]

Hello!

I'm using Firefox on Linux. The addon fails the tests [aggressive] iframe navigator.userAgent and [aggressive] iframe navigator.appVersion on https://webbrowsertools.com/useragent/

I have set userAgent string to be: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3831.6 Safari/537.36

1. [aggressive] iframe navigator.userAgent The addon fails to spoof the UA and real UA string gets detected.

2. [aggressive] iframe navigator.appVersion Addon fails this test too and the X11 platform gets detected

[ray-lothian]

Simply there is nothing I can do! The only way to bypass all these tests is to set the UA string manually from "about:config" in FF. Note that even if you use the "about:config" method, although the UA string is protected, still all other properties are revealing your identity.

If you are not going to alter the UA string frequently, you can set a single UA string in this extension popup and "about:config" to get the maximum protection.

[FossPrime]

Chrome doesn't have the ability to set a different permanent user agent. I'm pretty sure we can inject some JavaScript first thing document load. By intercepting it before the browser has it.

[ray-lothian]

@rayfoss we do inject the script on "document_start" of all frames. The issue is that to have access to the user-defined custom UA string, we need to use chrome.tabs.executeScript method to overwrite the navigator object rather than using the better approach, which is to inject the script by defining it in the "content_script" section of the manifest.json. The manifest.json can inject on "document_start", but we have no access to the user-defined UA string yet since it can only inject static files. Calling chrome.storage on the injected script is an async call, so we do not have the data ready if there is a sync script inside the page that wants to have access to the navigator properties. The problem with chrome.tabs.executeScript is that there is no guarantee it gets executed before "document_start" even if you request so.

I believe the current method that this extension uses is the best one we can have with the current extension APIs.

[ray-lothian]

Chrome doesn't have the ability to set a different permanent user agent

https://superuser.com/questions/334241/how-do-i-switch-my-user-agent-in-chrome

[ray-lothian]

Chrome doesn't have the ability to set a different permanent user agent.

As I have already pointed out, by setting the UA string from the command-line, you are only protecting one property. More navigator properties need to be protected. So it is still recommended to use a browser extension along with the command-line method.

[Killercat103]

@ray-lothian There seems that another extension supposedly managed to bypass this. Granted it is not merged so I can by no means prove it. (I am not experienced with compiling extensions from source) https://github.com/tarampampam/random-user-agent/pull/173

Maybe its worth looking into?

[domeniczz]

@ray-lothian I set manually set general.useragent.override in Firefox about:config, still got the same error shown by the OP. https://webbrowsertools.com/useragent/ can detect it. Why?

[Killercat103]

@ray-lothian I set manually set general.useragent.override in Firefox about:config, still got the same error shown by the OP. https://webbrowsertools.com/useragent/ can detect it. Why?

Did you disable the extension after setting this preference? I would additionaly like to note that with privacy.resistfingerprinting enabled the preference is ignored. I personally now turn of js by default with uBlock so this is not as much of an issue anymore.

[domeniczz]

@ray-lothian I set manually set general.useragent.override in Firefox about:config, still got the same error shown by the OP. https://webbrowsertools.com/useragent/ can detect it. Why?

Did you disable the extension after setting this preference? I would additionaly like to note that with privacy.resistfingerprinting enabled the preference is ignored. I personally now turn of js by default with uBlock so this is not as much of an issue anymore.

After setting general.useragent.override, I disabled the extension, restart the browser. I do not enable privacy.resistfingerprinting. Still being detected by https://webbrowsertools.com/useragent/.

I haven't turned off JS because this will largely impact my daily browsing experience.

If I try to spoof the UA, I will no longer be able to pass the Cloudflare human test. I think it is because cf detected UA spoofing.

[Killercat103]

@ray-lothian I set manually set general.useragent.override in Firefox about:config, still got the same error shown by the OP. https://webbrowsertools.com/useragent/ can detect it. Why?

Did you disable the extension after setting this preference? I would additionaly like to note that with privacy.resistfingerprinting enabled the preference is ignored. I personally now turn of js by default with uBlock so this is not as much of an issue anymore.

After setting general.useragent.override, I disabled the extension, restart the browser. I do not enable privacy.resistfingerprinting. Still being detected by https://webbrowsertools.com/useragent/.

I haven't turned off JS because this will largely impact my daily browsing experience.

If I try to spoof the UA, I will no longer be able to pass the Cloudflare human test. I think it is because cf detected UA spoofing.

Strange maybe I'd personally try approaching this with creating a new profile and applying the setting and only the setting. Test it and compare it with the prevoius one. Apply some changes to match the previous profile rinse and repeat