On Fri, Mar 22, 2019 at 6:07 AM Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote:
> On Thu, Mar 21, 2019, 9:39 PM Rik Cabanier, <caban...@gmail.com> wrote: > >> Why are these sites not included in the "safe browsing" service that is >> used by most browsers? >> That way, everyone would be protected. >> > > Because the relevant part of safe browsing service covers a different set > of criteria: https://www.google.com/about/unwanted-software-policy.html. > I think this page has the 3 criteria: https://safebrowsing.google.com/#policies It seems origins that try to fingerprint users or do cryptomining fall under category 1 and 3 > But more importantly, Google's safe browsing isn't by far the only block > list of bad URLs based on various criteria that various browsers and > extension use to improve the user's browsing experience. To answer your > actual question here, the block lists we're working with Disconnect to > create here are available for everyone to use under a permissive license at > https://github.com/disconnectme/disconnect-tracking-protection. We > actually ingest the list using the safe browsing protocol so other browsers > that have implemented that protocol could do the same today. > Good to know. Thanks for that link! > >> On Thu, Mar 21, 2019 at 2:59 PM Steven Englehardt < >> sengleha...@mozilla.com> >> wrote: >> >> > Summary: >> > We are expanding the set of resources blocked by Content Blocking to >> > include domains found to participate in cryptomining and fingerprinting. >> > Cryptomining has a significant impact on a device’s resources [0], and >> the >> > scripts are almost exclusively deployed without notice to the user [1]. >> > Fingerprinting has long been used to track users, and is in violation >> our >> > anti-tracking policy [2]. >> > >> > In support of this, we’ve worked with Disconnect to introduce two new >> > categories of resources to their list: cryptominers [3] and >> fingerprinters >> > [4]. As of Firefox 67, we have exposed options to block these >> categories of >> > domains under the “Custom” section of the Content Blocking in >> > about:preferences#privacy. We are actively working with Disconnect to >> > discover new domains that participate in these practices, and expect the >> > lists to grow over time. A full description of the lists is given here >> [5]. >> > >> > Bugs: >> > Implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1513159 >> > Breakage: >> > Cryptomining: https://bugzilla.mozilla.org/show_bug.cgi?id=1527015 >> > Fingerprinting: https://bugzilla.mozilla.org/show_bug.cgi?id=1527013 >> > >> > We plan to test the impact of blocking these categories during the >> Firefox >> > 67 release cycle [6][7]. We are currently targeting Firefox 69 to block >> > both categories by default, however this may change depending on the >> > results of our user studies. >> > >> > To further field test the new lists, we expect to enable the blocking of >> > both categories by default in Nightly within the coming month. If you do >> > discover breakage related to this feature, we ask that you report it in >> one >> > of the cryptomining or fingerprinting blocking breakage bugs above. >> > >> > Link to standard: These are additions to Content Blocking/Tracking >> > Protection which is not a feature we've standardized. >> > >> > Platform coverage: >> > Desktop for now. It is being considered for geckoview: ( >> > https://bugzilla.mozilla.org/show_bug.cgi?id=1530789) but is on hold >> until >> > the feature is more thoroughly tested. >> > >> > Estimated release: >> > Disabled by default and available for testing in Firefox 67. We expect >> to >> > ship this on by default in a future release, pending user testing >> results. >> > An intent to ship will be sent later. >> > >> > Preferences: >> > * privacy.trackingprotection.fingerprinting.enabled - controls whether >> > fingerprinting blocking is enabled >> > * privacy.trackingprotection.cryptomining.enabled - controls whether >> > cryptomining blocking is enabled >> > >> > These can also be enabled using the checkboxes under the Custom section >> of >> > Content Blocking in about:preferences#privacy for Firefox 67+. >> > >> > Is this feature enabled by default in sandboxed iframes?: Blocking >> applies >> > to all resources, regardless of their source. >> > >> > DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1537627 >> > When blocking of either category is enabled, any blocked resources will >> be >> > logged to the console with the following message: `The resource at “ >> > example.com” was blocked because content blocking is enabled.` >> > >> > Do other browser engines implement this? >> > Opera and Brave block cryptominers using the no-coin cryptomining list >> > [8][9]. The cryptomining list supplied by Disconnect is, in part, >> created >> > by matching web crawl data against no-coin and other crowdsourced lists. >> > No other browsers currently block the fingerprinting list, as we are >> > working with Disconnect to build it for this feature. However, many of >> the >> > domains on the fingerprinting list are likely to appear on other >> > crowdsourced adblocking lists. >> > >> > Web-platform-tests: Since content blocking is not a standardized >> feature, >> > there are no wpts. >> > >> > Is this feature restricted to secure contexts? No. Users benefit from >> > blocking in all contexts. >> > >> > [0] https://arxiv.org/pdf/1806.01994.pdf >> > [1] https://nikita.ca/papers/outguard-www19.pdf >> > [2] https://wiki.mozilla.org/Security/Anti_tracking_policy >> > [3] >> > >> > >> https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9537 >> > [4] >> > >> > >> https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9316 >> > [5] https://wiki.mozilla.org/Security/Tracking_protection#Lists >> > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1533778 >> > [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1530080 >> > [8] >> > >> > >> https://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/ >> > [9] https://github.com/brave/adblock-lists/blob/master/coin-miners.txt >> > _______________________________________________ >> > dev-platform mailing list >> > dev-platform@lists.mozilla.org >> > https://lists.mozilla.org/listinfo/dev-platform >> > >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
