-
Notifications
You must be signed in to change notification settings - Fork 519
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sticky: Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts #350
Comments
https://bugzilla.mozilla.org/show_bug.cgi?id=1429714 is about service workers.
that's how it's supposed to work but extensions don't see the changes made to headers by other extensions and therefore it's possible that the cookie(s) will still be sent. |
Either you're using extensions which are adding there own cookies to the request header (after uMatrix striped it) or you're using malicious extensions which are sending a hidden/background request. The question is: Why on earth are you using such extensions ? |
that's not how it works. All extensions receive the headers in parallel and unmodified. It doesn't matter if uMatrix striped it because the next extension still sees the original cookie header.
I don't but there are apparently people who have like 70+ addons or whatnot, and I'm just saying that it can happen. Here are just 2 examples of legitimate extensions that do or could modify the cookie header in certain situations: https://github.com/snyderp/web-api-manager/blob/master/add-on/background_scripts/background.js#L58 |
The strategy looks good. If you block the canvas via FF the canvas is completely handled by it and CB never kicks in. EDIT: when I messed around with this feature I think I also found a way to ignore the resistFingerprint setting (or answer). Not sure if this is useful or not... |
Block does block the API and therefore generates errors in most pages that just assume that the API is accessible. If you want the same behaviour than in RFP=block you have to use the "white" random number generator. The detection test is using canvas but only a minor subset of the API. The block mode may block before the RFP kicks in. |
Can't find where I mentioned the idea of general API blocking, but hey look: [dead link] |
3P Request Blocker by Sw prevents your browser from connecting to 3rd party resource without user consent. Only 61.0 KiB |
Correct if i'm wrong but shouldn't Cookie AutoDelete work with FPI already in Firefox 59? |
Is there an easy way to find if it's working as intended, i mean, if it's deleting localStorage, etc with CA-D and FPI turned on? Sorry if i'm being a bit off-topic. |
Thanks so much @Thorin-Oakenpants |
Sweet ❤️ |
https://www.reddit.com/r/uMatrix/comments/7p7adg/web_workers/ |
As for privacy.resistFingerprinting, I had to disable it due to two reasons:
There may have been other issues as well, but I didn't get far enough in using it to find out. Are there solutions to these problems? I would really like to use this feature. |
I'm not saying I plan to disable it permanently because of it, but I've had it disabled the past couple weeks while testing stuff, installing and trying out addons, and a feature like this should work for non-advanced users, who aren't going to know why the AMO site isn't working properly and know how to fix it. Not to mention you'd think Mozilla would make their feature not interfere with their own website. Just seems like a pretty significant oversight. Anyways, I was hoping someone knew of a pref or addon that would disable it on certain sites and/or AMO or that could override it so the user agent could be forced on those sites. Also, this should be mentioned in the OP, so people aren't caught off guard when they enable this pref then find AMO doesn't work right. And I realize the time zone change is a feature, not a bug; I wasn't saying otherwise. I'm just saying that I would like the ability to have the benefits of resistFingerprinting without the subsequent issues caused by that. Ideally, it should provide a way to tell it to leave that alone. Since that's clearly not the case, again I was wondering if anyone knew of a way to override it. |
I understand how fingerprinting and uniqueness works, and that I would be setting myself apart by changing my time zone, but I suspect I would still be much less unique than if not using the pref at all, and therefore that it would by no means be pointless. |
I get that. All I was looking for was a workaround that hopefully somebody had found to fix this issue, to prevent having to change the setting every time the user wants to look at or install addons.
I was saying that in your canvas section, where you mention to use the pref, a simple caution that it will cause AMO to not work properly could be added so anybody that reads it will know about the breakage, so then when they go to AMO they'll be aware of it, vs just enabling it and then going there and not knowing why it's not working. I'm not saying they should be told to use it with caution, just that they should be cautioned (or perhaps a better word would be informed) about the issue. That's all. |
CanvasBlocker 0.4.6-Alpha1 does now also Audio... see here; kkapsner/CanvasBlocker#71 (comment) I am sure that @kkapsner would appreciate some testing from you guys too. Cheers |
@Thorin-Oakenpants: I see you already updated the code URL. Now that @meh has given me full access rights on AMO, I've also create the privacy policy you requested a year ago: https://addons.mozilla.org/de/firefox/addon/smart-referer/privacy/ Edit: Thorin: done. And thanks. PS: I stripped out the |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
value can be toggled with Toggle Fonts add-on (AMO) note that Toggle Fonts does not alter |
This comment has been minimized.
This comment has been minimized.
You don't seem to understand fingerprinting very well. RFP & canvas currently lowers the entropy in that metric, in fact, it eliminates it by making everyone the same. As soon as you diverge from other RFP users, you stand out. Obviously it depends on the script, but I'm talking theoretically - which is how you need to approach it. Any hole is a hole that can be exploited. It's not hard to detect RFP: you can just check timing rounding (which could be changed by a pref value - it sucks though because the check takes time: you could probably get away with 30ms). And there are other cumulative checks that could give it away (but not totally infallible). But since FF78 there's an even quicker method (less than 1ms, 100% correct, all the time). And RFP does allow a site exception for canvas: it's not like you don't have some control. Of the at least 8 methods to confound FPing, one is to lower entropy, one is to raise. Both have pros and cons. AFAIK, RFP canvas is going to become randomized - but until it does, don't undermine it - that's just stupid Also: just so people are aware - don't use Waterfox: there is nothing it does that Firefox can't (there might be the one odd thing here or there: I'm not wasting my time checking). This does not include legacy extension support: which I consider the lack of in Firefox as a good thing, and the inclusion of in Waterfox as a security hole.
Not if I can help it. There is no reason to use a fork. |
This comment has been minimized.
This comment has been minimized.
OK, you really don't understanding FPing
And that there is the first flaw in your argument: panopticlick is not real world and the data is tainted (not the actual FPing, just the entropy). And that's not the site's fault, it's the nature of the beast and those who (repeated) visit, and who constantly tweak their metrics: thus artificially screwing the results.
What does that even mean? In reality, the standard is not lying (most users don't install extensions, at least not canvas ones, and at least not in Firefox). For those who do lie: they can be lowering or raising entropy. So if you mean randomizing is more prevalent, then I would say based on some numbers, that you're wrong. In Firefox (and it's trivial to detect that you are on Firefox), I don't know the number of RFP, but all the TB users (which uses Firefox) are lowering canvas. There's some 2 million TB users at any given time [1]. Overall, there would be more. That figure there far outweighs the total (i.e not always online at the same time) FF users with canvas randomizing - CB has 50k installs, Canvas Defender 15K and so on. But that doesn't even fucking matter: if the subset of users you are in lowers, then you do the same. You sure don't get it. [1] https://metrics.torproject.org/userstats-relay-country.html
Clearly you need help. |
Just visited uMatrix repos, @gorhill has Archived it all, says he won't spend any more time on uMatrix. uBO is nice and all for cosmetic filtering but it does not come anywhere close to the control you have in uMatrix. Disappointing - no discussion, no warning, just a guy opening an issue and getting told "forget it I'm done" and poof, everything archived :-( |
not surprising at all given the number of commits on uBO vs. uM i'm very disappointed by this - there's lots i could say about this but i'll refrain, suffice to say that i think some of his decisions are idiotic, starting with splitting uBO off from uM |
With Chameleon, your timezone can be automatically adapted to your IP. Ant in that precise case, it supersedes the RFP's GMT+0 timezone |
I guess you refer to https://addons.mozilla.org/de/firefox/addon/chameleon-ext/. No, you shouldn't use such extensions.
No further questions, Your Honor. |
What should be done to make uBlock Origin handle trackers instead of the browser? I use AdNausuem so it'd be nice to be able to send a message |
A list of stuff - thanks @smithfred for the ideas
Extensions can often work better than a global pref because of their flexibility (but may still have downsides or issues), or they can enhance/compliment them, or they can clash. Either way, there is always more than one way to skin a cat no cats were harmed in the making of this issue.
Here are some solutions that may fit your needs. If you have any other suggestions to this list-in-progress, please let us know :)
🔶 Mixed Passive Content
security.mixed_content.block_display_content
=true (1241
)https-strict: * true
to uMatrix🔶 Web Workers
dom.workers.enabled
=false (2301
) and/ordom.serviceworkers.enabled
=false (2302
)dom.workers.enabled
was removed in FF60no-workers: * true
to uMatrix🔶 Cookies [1]
network.cookie.cookieBehavior
=2 (block all) (2701
)allow
eg for logins,allow for session
eg for sites that require them to work)* * cookie block
to uMatrix🔶 Cookies [2]
network.cookie.cookieBehavior
=2 (block all) (2701
)allow
eg for logins,allow for session
eg for sites that require them to work)🔶 Canvas
privacy.resistFingerprinting
=true (4501
) (RFP)default permission
(but looks unlikely). Hopefully it will also be added to the options Site Preferences section for site management. Update: preferred fix is to restrict/lower the prompts🔶 Referers
SiteA
(SOURCE, 1st party)SiteA
requests content from 3rd partySiteB
,SiteC
,SiteD
(B,C,D are DESTINATION)SiteA
might include a referer (basically saying "Hi I'm requesting this forSiteA
") to any or all of those destination sitesreferrer-spoof: * true
destination
(see this uMatrix wiki entry)The text was updated successfully, but these errors were encountered: