Tor: Detect Tor Browser's language

#Summary
Some error pages uses Tor Browser’s language based text, and iframe can steal it.

#Details
Since the language of Tor Browser is used for the title of the link tag on 404 error page, an attacker can obtain the language of Tor Browser even if the user has set privacy.spoof_english to 2.
I attached a PoC and a video for this.

If the server returns empty response, Tor Browser will show this page in iframe:

<html class="mozwebext">
    <head>
        <link rel="alternate stylesheet" type="text/css" href="resource://content-accessible/plaintext.css" title="Wrap Long Lines">
    </head>
    <body>
        <pre></pre>
    &lt;/body&gt;
&lt;/html&gt;

but if user uses Japanese (This is example, it can be used in other languages) version of Tor Browser, it’ll show this page:

<html class="mozwebext">
    <head>
        <link rel="alternate stylesheet" type="text/css" href="resource://content-accessible/plaintext.css" title="長い行を折り返す">
    </head>
    <body>
        <pre></pre>
    &lt;/body&gt;
&lt;/html&gt;

so parent window can steal it:

title="長い行を折り返す"

Maybe there are similar vulnerability in other error page.

Impact

Attacker can steal language of Tor Browser even if the user has set privacy.spoof_english to 2.