Opened 3 months ago

Closed 3 months ago

#22900 closed defect (duplicate)

Tor Browser loads a script from Google Analytics on the Addon Management page

Reported by: justJanne Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: i139 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Summary:

The add-on management page in the Tor Browser loads discovery.addons.mozilla.org, which includes a Google Analytics script that can, at the moment, not be disabled.

Steps to reproduce:

Open Menu. Select Addons. Select "Get Addons", unless this is already selected.

Expected behaviour:

Does not load any tracking.

Actual behaviour:

Load a tracking script from Google Analytics.

Child Tickets

TicketStatusOwnerSummaryComponent
#22899closedyawning`about:addons`'s "Get Addons" pane is unsafe and should be treated as such.Applications/Tor Browser Sandbox

Attachments (1)

vdlFWYR.png (293.0 KB) - added by justJanne 3 months ago.
Screenshot showing the google analytics script being loaded in the network tab of the developer tools in the addon page

Download all attachments as: .zip

Change History (11)

Changed 3 months ago by justJanne

Attachment: vdlFWYR.png added

Screenshot showing the google analytics script being loaded in the network tab of the developer tools in the addon page

comment:1 Changed 3 months ago by justJanne

comment:2 Changed 3 months ago by kumar303

Google Analytics is used by Mozilla under a specific contract that restricts how the data can be used at Google. Mozilla is comfortable that it's not used for tracking purposes.

However, Tor could disable the Discovery Pane altogether by setting the extensions.webservice.discoverURL setting to another website. This would only disable add-on discovery. It would not disable the ability to manage add-ons for the Tor browser.

comment:3 Changed 3 months ago by yawning

#22903 was a duplicate.

comment:4 in reply to:  1 Changed 3 months ago by cypherpunks

Replying to justJanne:

Relevant upstream bug: https://github.com/mozilla/addons-frontend/issues/2785

The proposed fix wont work, they're saying that if DNT is enabled then the analytics.js wont load. But DNT is set to false in the Tor Browser (and rightly so). Better fix is to have an option for disabling it. Another alternative fix is to have the Tor Browser block www.google-analytics.com entirely.

Another solution which I think gk will like: always block scripts on about:addons, its functionality will still be there despite JS being disabled (with the exception of a video not rendering out :).

A bit disappointing to see Mozilla do stuff like this without possibility to opt-out. :(

Last edited 3 months ago by cypherpunks (previous) (diff)

comment:5 Changed 3 months ago by yawning

Better fix is to have an option for disabling it.

The correct general fix is to make it explicitly opt in, via something like a HTTP header.

Eg: Serve pages that load the analytics js if the HTTP request has X-Mozilla-Tracking-Opt-In set (and only set the header when making requests from the about context, if the user has opted in). However that requires trusting Mozilla to implement and honor the header, so alternatives that do not require such things should be explored.

comment:6 Changed 3 months ago by cypherpunks

"Get Addons" is the only tab on about:addons that loads the discovery.addons.mozilla.org page.
Setting the hidden boolean preference extensions.getAddons.showPane to false removes this tab.

Last edited 3 months ago by cypherpunks (previous) (diff)

comment:7 in reply to:  6 Changed 3 months ago by gk

Resolution: duplicate
Status: newclosed

Replying to cypherpunks:

"Get Addons" is the only tab on about:addons that loads the discovery.addons.mozilla.org page.
Setting the hidden boolean preference extensions.getAddons.showPane to false removes this tab.

Yep, which we wanted to do anyway for unrelated reasons. Closing this as a duplicate of #22073.

comment:9 Changed 3 months ago by i139

Cc: i139 added
Resolution: duplicate
Status: closedreopened

comment:10 Changed 3 months ago by gk

Resolution: duplicate
Status: reopenedclosed
Note: See TracTickets for help on using tickets.