Changes between Initial Version and Version 1 of Ticket #20317


Ignore:
Timestamp:
Oct 7, 2016, 6:40:28 PM (3 years ago)
Author:
arthuredelstein
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #20317 – Description

    initial v1  
    11In Firefox (and current Tor Browser), permissions are keyed by origin. That is a tracking vector -- for example, on Google maps, if click on the "Show your Location" button,
    22
    3 
     3[[Image(location.png)]]
    44
    55The browser asks "www.google.com: Would you like to Share your Location with this site?" If we choose "Always Share Location", then this permission is stored, keyed to www.google.com.
    66
    7 Now on other sites, any third-party object from www.google.com" (such as a Google Analytics script or a Google+ button) can know our location. Worse, it can expose a function call that any other script on the same page could call to obtain our location. So in practice, we have given permission for numerous domains to obtain our location. And the very existence of the permission setting, or any other, helps to distinguish us, and keying by origin doesn't help very much at all.
     7[[Image(permission.png)]]
     8
     9Now the UI says "this site", which is, to my ear, synonymous with "first party domain". But now on other sites, any third-party object from www.google.com" (such as a Google Analytics script or a Google+ button) can know our location. And, further, it can expose a function call that any other script on the same page could call to obtain our location. So in practice, we have given permission for numerous domains to obtain our location. And the very existence of the unusual permission setting, or any other, helps to track us.
    810
    911So I would like to propose that we key every permission by first-party domain instead of origin domain. That means that the Permissions UI doesn't need to change much at all. We are still assigning each permission to a single domain. But this way, granting a permission to google.com would not leak to every other site.
    1012
    11 And I would argue that this is already the perception of most users when they see a permission requested. Most users are not knowledgeable about the subtleties of third-party scripts -- they expect a permission to apply to the site they are visiting in the URL bar.
     13And I would argue that this is already the perception of most users when they see a permission requested for "this site". Most users are not knowledgeable about the subtleties of third-party scripts -- they expect a permission to apply to the site they are visiting (the first party).
    1214
    1315I would suggest we should write this patch for ESR52, which means using Origin Attributes and the pref "privacy.firstparty.isolate". Then we can hopefully uplift to Mozilla.