User.js: How to safely change language

What version of Firefox are you on?

Some of the numbers are incorrect (your 0203 + 0204 -> our 0202, and 0205 is inactive). And are you using RFP (pref 4501)?

• 0205 is inactive: it only applies to your Firefox/application language and does not (except for a few obscure leaks getting patched) have any bearing on what web sites can see. This is menus, about pages, messages from Firefox, etc.

this leaves

🔹 lot 1

• 0202 + 0206
  
  
  
  • browser.search.region + browser.search.geoip.url
  
  
  • browser.search.geoSpecificDefaults + browser.search.geoSpecificDefaults.url
  
  

I'm not sure exactly how these work. I think they're only used on the search engines bundled with your Firefox. They're definitely not web-wide: i.e. only the search engine you're using would be affected (not sure in what way or how)

You can probably leave these active in the user.js and no would care.

🔹 lot 2

• these are the ones that really matter
  
  
  
  • 0207 intl.accept_languages
  
  
  • 0208 javascript.use_us_english_locale
  
  
  • 0209intl.regional_prefs.use_os_locales
  
  

I won't go into these right now. Tell me what version of FF you on

🔹 ip address

BUT, knowing that I have a non US/UK IP address, would it be that terrible if the headers leak my language ?

If you're not masking your IP address, then a lot of things we do don't make sense. It's like locking your front door and leaving all the windows wide open. You would stick out, but I doubt you'd be unique. You would definitely be more unique within your ISP's IP ranges.

If you're using a VPN, then it also probably doesn't do any harm. Within your VPN's IP ranges you probably wouldn't be unique, and you can always keep changing IPs. If they can't link back to you, then you'll just be some person who uses Spanish or something.

My overrides:

/* Default German (not US) serche engines */
user_pref("browser.search.region", "DE");
/* Use German FF UI */
user_pref("intl.locale.requested", "de-DE");
/* do not fake english */
user_pref("privacy.spoof_english", 1); // 0: Ask 1: No 2: Yes
user_pref("intl.accept_languages", "de, en-US, en");
user_pref("javascript.use_us_english_locale", false);

What I still need to do:

• interactions with RFP
• interaction between the last three
• intl.accept_languages: de vs. de-DE (default without user.js)

_Firefox release_

interactions with RFP

The thing with privacy.spoof_english is, if anything, you should set it back to 0, and just the once, so you get re-prompted: the code behind what you select when prompted, then changes other prefs. We deliberately kept this out of the user.js for this reason.

That's not to say that you can't set it as 1 or 2 and roll your own other changes.

What version of Firefox are you on?

I'm on the latest (v69).

Some of the numbers are incorrect (your 0203 + 0204 -> our 0202, and 0205 is inactive).

Mhm... my bad. 0203 & 0204 don't exist, it's 0202, you're right.

And are you using RFP (pref 4501)?

Yes I have user_pref("privacy.resistFingerprinting", true);

If you're using a VPN, then it also probably doesn't do any harm. Within your VPN's IP ranges you probably wouldn't be unique.

Yes I use a VPN but what makes you think that I would probably not be unique within my VPN's IP ranges ?

and you can always keep changing IPs. If they can't link back to you, then you'll just be some person who uses Spanish or something.

That's what I thought.

Yes I use a VPN but what makes you think that I would probably not be unique within my VPN's IP ranges ?

Depends on the number of VPN users. If it's a well known and vetted popular one, then I doubt users are hiding their language (because they can't be traced anyway), and there would be lots of different language users

Even Tor is not strict about this. On first run, you get prompted to request pages in your app language, or to always use English (US).

I'd have to re-run a non-English TB pack to see what the default values are.

about those search engines: https://bugzilla.mozilla.org/show_bug.cgi?id=1369299

In Tor Browser, we don't want to store any long-term state that could serve a way for network adversaries to distinguish users. So we disabled the GeoIP search and region defaults to ensure that location information isn't getting stored in the browser.search.* prefs, which could be inferred by future search requests.

So I'm not sure how this works, as I said before. Because lets say you connect to DDG or google, etc .. only the search engine sees your requests: and if you're requesting pages in Spanish, I don't know what the search engines do. If it's google, I think they just redirect to the TLD of the IP, but maybe they redirect you to the TLD of the same language? IDK.

I think this is TB being ultra careful, given their threat model: so they default everyone to US. TB en-US blocks these: the 0202 URL is blanked, and the 0206 is false

In Firefox, I think your best bet is to be the same as everyone else if you don't mask your language: so why would you request "US" in regional search when you are "DE" or something. I don't think it's much of a threat TBH. Especially if you add your own sanitized search engine, and use a privacy respecting one as much as possible (it's hard to get away from google's superior results though). I also add search engines for sites I use a lot

I'm just getting more questions than answers when I try to answer your question. If your OS locale is the same as your APP locale, then just comment them all out in the user.js, reset* all of them in about:config, since you're behind a VPN, and set privacy.spoof_english to 1

Thanks Thorin.

only the search engine sees your requests

I don't understand why you say this. A website has access to browser language.

If your OS locale is the same as your APP locale, then just comment them all out in the user.js, reset* all of them in about:config, since you're behind a VPN, and set privacy.spoof_english to 1

This seems to be the right thing to do. I'll do this !

only the search engine sees your requests

I was referring to the search prefs as linked in the bugzilla. Your preferred language (in the header) and your javascript navigator objects can be read by any site. What the geoIP etc search prefs do (I am not entirely sure) is probably allow you to set a different language for search engines: IDK if that's all installed search engines, or just bundled ones, or if it pertains to only when searched from Activity Stream, the search bar, or the location bar. IDK