User.js: UA spoofing: general.*.override & navigator objects

OS, bitness and browser is almost impossible to spoof.
You can safelly spoof browser version, but not faking FF as for example Chrome, IE, or something else.
Even when the results on some test pages show that you have done it succesfully, there is a method over iFrame, which allways reveals the real data. ;)
And there are for sure other methods we are even not aware off for now.
The same goes with screen resolution spoofing. There is no real solution for now.

I would really suggest to remove those from your user.js.
Otherwise you are fingerprinted as a spoofer. ;)

Maybe I am wrong here, so don't kill me for my comment. ;)

Great. You guys did a tremendous job in a very short time.
All I can say is in two words: THANK YOU

:)
Cheers

Hi, Pants! So user.js updates are now basically real time, I like that :)

IMHO the current 2627 prefs work surprisingly well to spoof OS and FF version. They produce plausible results when you don't make big changes. I wouldn't remove them, the included comments are sufficient. The TCP/IP OS Fingerprinting method used by BrowserLeaks to reveal the actual Windows NT kernel version might have nothing to do with Firefox?

I know spoofing your browser (instead of just the browser version) and resolution won't really work.

Tools like Nmap and P0f look at the TCP/IP stack parameters of the system.

explanation

general.oscpu.override does little or nothing against tools that read system values stored in windows registry or linux config files.

With all the things we already do (dom.*, disabled ciphers, etc.) worrying about spoofing your OS is really not worth the effort IMHO. with 1600 downloads we are in a pretty small group anyway.
From all the 2627 stuff I only use general.buildID.override but now that I think about, I don't even need that. Those things are maybe useful if you compile your own FF on linux but my buildID on Windows is the same for everyone with the same FF version. And I don't spoof my UA anymore either, so yeah, I'm resetting it and comment it out in my user.js

User Agent spoofing without JS works fine.

User Agent spoofing without JS works fine. that depends on what you spoof as.
If it's anything but Firefox then the available ciphers and their order already make you pretty unique.
CSS can also be used to some degree to identify if you're using FF, Chrome or whatnot.
And honestly, if you spoof another FF version what good does that really do?

I spoof the latest FF on previous versions.

Spoof to FF version that has biggest market share.
That would normally be the latest standard. If you are using ESR or nightly, then spoofing makes sense if we assume that fingerprinting isn't beyond that.
https://techblog.willshouse.com/2012/01/03/most-common-user-agents/

Googlebot 2.1 User Agent String:
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Good choice. That's unclear territory, must be investigated.

general.useragent.override is an incomplete solution.

sure, why not.
I prefer if the user_pref line isn't indented, but you're in charge of formatting ;)

is indented, in the entire js

Yes, but my idea is to use multi-line JS comments, like so ...

/* 2697-A: navigator.userAgent leaks in JS
   // NOTE: setting this will break any UA spoofing add-on whitelisting ***/
//user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"); // (hidden pref)
/* 2697-B: navigator.buildID (see gecko.buildID in about:config) reveals build time
   // down to the second which defeats user agent spoofing and can compromise OS etc
   // https://bugzilla.mozilla.org/show_bug.cgi?id=583181 ***/
//user_pref("general.buildID.override", "20100101"); // (hidden pref)

or like this:

/* 2697-A: navigator.userAgent leaks in JS
 * NOTE: setting this will break any UA spoofing add-on whitelisting ***/
//user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"); // (hidden pref)
/* 2697-B: navigator.buildID (see gecko.buildID in about:config) reveals build time
 * down to the second which defeats user agent spoofing and can compromise OS etc
 * https://bugzilla.mozilla.org/show_bug.cgi?id=583181 ***/
//user_pref("general.buildID.override", "20100101"); // (hidden pref)

Well, if it was example 2, it makes sense to have all the //user_pref lines on column 0 when you collapse all items with your editors hotkey. I also prefer if the actual commented out JS code ie the user_prefs lines, don't have a single space between // and the 'user_pref'. But it's just MY coding style.
If we ever gonna make the change we should do it sooner rather than later, before more people start a fork.
Should we be democratic about it and create a poll with all possible formats and let the majority decide?
IMO it's more than a 'slight' improvement, especially if you edit a local copy in an editor.
It makes such a big difference in terms of better overview, easier to organize, etc.
We don't necessarily have to change the entire file at once IMO.

/*** 2700: COOKIES & DOM STORAGE ***/
/* 2701: single line pref ***/
user_pref("blabla", true);
/* 2702: multi-line active
 * blabla
 * more blabla ***/
user_pref("blablub", true);
/* 2703: single or multi-line inactice ***/
//user_pref("blibli", true);

note:

1. always use ***/ to end-comment, makes it easier to see
2. also use /* ... ***/ for single line numbers, so only inactive user_pref lines would have //
   2a. hence having the //user_pref's on column 0 would be nice
3. align the *'s for multi-line (this is what most people do for multi-line comments in sources afaik)

take it or don't, I've said my peace, please don't hate me for not picking A or B ;)

ps. ok your last pic also looks nice. I don't mind, do what you prefer