Opened 23 months ago

Last modified 16 months ago

#23349 needs_information defect

Disable navigator.send_beacon().

Reported by: yawning Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The call: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon

The pref: beacon.enabled

While this is briefly touched upon in #17718, it deserves separate discussion.

This API runs counter to "Transparency in Navigation Tracking", and the HTML equivalent (<a ping="...">) is currently disabled (browser.send_pings is set to false by default even with standard Firefox).

Child Tickets

Change History (3)

comment:1 Changed 23 months ago by gk

Status: newneeds_information

What is so special about sendBeacon that we should treat it differently than the more cumbersome it means to replace (see the MDN page you linked to and https://w3c.github.io/beacon/, especially the Privacy and Security section? Or, asked differently, why should we allow all the other awful techniques but not sendBeacon.

Could you elaborate on the "runs counter to 'Transpaency in Navigation Tracking'" claim? What does sendBeacon add that is not entailed in the usual third party (data aggregation) requests?

comment:2 in reply to:  1 Changed 23 months ago by yawning

Replying to gk:

What is so special about sendBeacon that we should treat it differently than the more cumbersome it means to replace (see the MDN page you linked to and https://w3c.github.io/beacon/, especially the Privacy and Security section? Or, asked differently, why should we allow all the other awful techniques but not sendBeacon.

In an ideal world, we shouldn't allow any of those other awful things either.

Could you elaborate on the "runs counter to 'Transpaency in Navigation Tracking'" claim? What does sendBeacon add that is not entailed in the usual third party (data aggregation) requests?

"Report session data when the page transitions to background state or is being unloaded, without blocking the user agent." is anything but transparent. Philosophically, an API call that was introduced primarily to facilitate anti-privacy practices is horrific and evil.

I guess a better time to push for it being disabled was, when it was first introduced, because it was blatantly broken (CVE-2014-8638), and not just when I disagree with it from a philosophical point of view.

*shrug*

comment:3 Changed 16 months ago by cypherpunks

What's wrong with disabling beacon.enabled?

Note: See TracTickets for help on using tickets.