🌐 Website Issue | about:config tweaks can leave users exposed to unblockable tracking via google analytics #1594
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1594
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
If you enable all tweaks except for
privacy.trackingprotection.enabled
which seems redundant if you read its description, as well as not having DNT (Do Not Track) enabled, you will be exposed to unblockable Google Analytics on all privileged pages listed here, while not in private windows. As without this set to true, tracking content is only blocked in private windows. The other downside about this is uBlock Origin, uMatrix etc won't even detect that it's been loaded. As well as anti-finger printing extensions becoming useless.The cause of this is that Firefox will only enable Google Analytics on its privileged pages if you don't send DNT, as they actually honour it. The result of this though, means that the only blocker that works on privileged pages (Firefox tracking protection) has nothing to block when it's enabled because Firefox forces DNT when Firefox is set to block known trackers resulting in Google Analytics not being loaded.
Possible Solutions
Solutions to this would be to either to change the description of the
privacy.trackingprotection.enabled
setting to emphasize its benefits on privileged pages, addprivacy.donottrackheader.enabled
to the list. Or both asprivacy.trackingprotection.enabled
in effect forces DNT in all windows, so there's no downside to having both enabled as a fallback.Lastly in addition to the other options, an option for advanced users as stated at the bottom of the page here which I had linked above. Setting
extensions.webextensions.restrictedDomains
to empty allows uBlock Origin to run on privileged pages and therefore block Google Analytics, the downside though being that in doing so you allow any other extensions installed to do the same, though in my opinion if an extension is trying to manipulate privileged pages you got more things to worry about. The other issue seemed to be that in doing so it caused Firefox itself to no longer trustaddons.mozilla.org
when installing extensions but as I stated before if you already have a malicious extension, the installing of another would be redundant. Lastly there's also the possibility of a uBlock blocklist blocking updates or syncing to Firefox, though I actually doubt this is possible.Screeshots
privacy.trackingprotection.enabled
on the default setting of false onaddons.mozilla.org
This dropdown is the
privacy.trackingprotection.enabled
toggleextensions.webextensions.restrictedDomains
set to default demonstrating why you can't easily noticeShowing why DNT auto enables with
privacy.trackingprotection.enabled
trueprivacy.trackingprotection.enabled
set to true onaddons.mozilla.org
Confirming it's gone by setting
extensions.webextensions.restrictedDomains
to emptyextensions.webextensions.restrictedDomains
and falseprivacy.trackingprotection.enabled
onaddons.mozilla.org