Opened 3 years ago

Closed 19 months ago

#20317 closed defect (duplicate)

Key permissions by first-party domain instead of origin (proposal)

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

In Firefox (and current Tor Browser), permissions are keyed by origin. That is a tracking vector -- for example, on Google maps, if click on the "Show your Location" button,


The browser asks "www.google.com: Would you like to Share your Location with this site?" If we choose "Always Share Location", then this permission is stored, keyed to www.google.com.


Now the UI says "this site", which is, to my ear, synonymous with "first party domain". But now on other sites, any third-party iframe from www.google.com (such as created by a Google Analytics script or a Google+ button) can know our location. And, further, it can expose a function call (using iframe postMessage tricks) that any other script on the same page could call to obtain our location. So in practice, we have given permission for numerous domains to obtain our location. And the very existence of the unusual permission setting, or any other, helps to track us.

So I would like to propose that we key every permission by first-party domain instead of origin domain. That means that the Permissions UI doesn't need to change much at all. We are still assigning each permission to a single domain. But this way, granting a permission to google.com would not leak to every other site.

And I would argue that this is already the perception of most users when they see a permission requested for "this site". Most users are not knowledgeable about the subtleties of third-party scripts -- they expect a permission to apply to the site they are visiting (the first party).

I would suggest we should write this patch for ESR52, which means using Origin Attributes and the pref "privacy.firstparty.isolate". Then we can hopefully uplift to Mozilla.

Child Tickets

Attachments (2)

permission.png (30.0 KB) - added by arthuredelstein 3 years ago.
location.png (4.2 KB) - added by arthuredelstein 3 years ago.

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by arthuredelstein

Attachment: permission.png added

Changed 3 years ago by arthuredelstein

Attachment: location.png added

comment:1 Changed 3 years ago by arthuredelstein

Description: modified (diff)

comment:2 Changed 3 years ago by arthuredelstein

Description: modified (diff)

comment:3 Changed 3 years ago by arthuredelstein

Here's a demo that works on Firefox (not Tor Browser, because we don't have navigator.geolocation exposed).

First visit
https://torpat.ch/geolocate.html
And choose "Always Share Location" for torpat.ch.

Now visit
https://arthuredelstein.github.io/tordemos/geolocate.html
The iframe runs the same torpat.ch page to obtain location, and then uses postMessage to send the location to the parent page, at arthuredelstein.github.io.

(When you are done, be sure to revoke permissions to torpat.ch! :))

comment:4 Changed 3 years ago by arthuredelstein

comment:5 Changed 2 years ago by cypherpunks

What is the status of this ticket after #21569 got fixed?

comment:6 in reply to:  5 Changed 19 months ago by gk

Resolution: duplicate
Status: newclosed

Replying to cypherpunks:

What is the status of this ticket after #21569 got fixed?

It's fixed by it and thus a duplicate.

Note: See TracTickets for help on using tickets.