🌐 Website Issue | about:config tweaks can leave users exposed to unblockable tracking via google analytics #1594

New Issue

2019-12-18T05:09:49Z

User486375 commented

2019-12-18 05:09:49 +00:00

(Migrated from github.com)

Description

If you enable all tweaks except for privacy.trackingprotection.enabled which seems redundant if you read its description, as well as not having DNT (Do Not Track) enabled, you will be exposed to unblockable Google Analytics on all privileged pages listed here, while not in private windows. As without this set to true, tracking content is only blocked in private windows. The other downside about this is uBlock Origin, uMatrix etc won't even detect that it's been loaded. As well as anti-finger printing extensions becoming useless.

The cause of this is that Firefox will only enable Google Analytics on its privileged pages if you don't send DNT, as they actually honour it. The result of this though, means that the only blocker that works on privileged pages (Firefox tracking protection) has nothing to block when it's enabled because Firefox forces DNT when Firefox is set to block known trackers resulting in Google Analytics not being loaded.

Possible Solutions

Solutions to this would be to either to change the description of the privacy.trackingprotection.enabled setting to emphasize its benefits on privileged pages, add privacy.donottrackheader.enabled to the list. Or both as privacy.trackingprotection.enabled in effect forces DNT in all windows, so there's no downside to having both enabled as a fallback.

Lastly in addition to the other options, an option for advanced users as stated at the bottom of the page here which I had linked above. Setting extensions.webextensions.restrictedDomains to empty allows uBlock Origin to run on privileged pages and therefore block Google Analytics, the downside though being that in doing so you allow any other extensions installed to do the same, though in my opinion if an extension is trying to manipulate privileged pages you got more things to worry about. The other issue seemed to be that in doing so it caused Firefox itself to no longer trust addons.mozilla.org when installing extensions but as I stated before if you already have a malicious extension, the installing of another would be redundant. Lastly there's also the possibility of a uBlock blocklist blocking updates or syncing to Firefox, though I actually doubt this is possible.

Screeshots

privacy.trackingprotection.enabled on the default setting of false on addons.mozilla.org

This dropdown is the privacy.trackingprotection.enabled toggle

extensions.webextensions.restrictedDomains set to default demonstrating why you can't easily notice

Showing why DNT auto enables with privacy.trackingprotection.enabled true

Result of privacy.trackingprotection.enabled set to true on addons.mozilla.org

Confirming it's gone by setting extensions.webextensions.restrictedDomains to empty

Result of empty extensions.webextensions.restrictedDomains and false privacy.trackingprotection.enabled on addons.mozilla.org

## Description If you enable all tweaks except for `privacy.trackingprotection.enabled` which *seems* redundant if you read its description, as well as not having DNT (Do Not Track) enabled, you will be exposed to unblockable Google Analytics on all privileged pages listed [here](https://github.com/gorhill/uMatrix/wiki/Privileged-Pages), while not in private windows. As without this set to true, tracking content is only blocked in private windows. The other downside about this is uBlock Origin, uMatrix etc won't even detect that it's been loaded. As well as anti-finger printing extensions becoming useless. The cause of this is that Firefox will only enable Google Analytics on its privileged pages if you don't send DNT, as they actually honour it. The result of this though, means that the only blocker that works on privileged pages (Firefox tracking protection) has nothing to block when it's enabled because Firefox forces DNT when Firefox is set to block known trackers resulting in Google Analytics not being loaded. ## Possible Solutions Solutions to this would be to either to change the description of the `privacy.trackingprotection.enabled` setting to emphasize its benefits on privileged pages, add `privacy.donottrackheader.enabled` to the list. Or both as `privacy.trackingprotection.enabled` in effect forces DNT in all windows, so there's no downside to having both enabled as a fallback. Lastly in addition to the other options, an option for advanced users as stated at the bottom of the page [here](https://github.com/gorhill/uMatrix/wiki/Privileged-Pages) which I had linked above. Setting `extensions.webextensions.restrictedDomains` to empty allows uBlock Origin to run on privileged pages and therefore block Google Analytics, the downside though being that in doing so you allow any other extensions installed to do the same, though in my opinion if an extension is trying to manipulate privileged pages you got more things to worry about. The other issue seemed to be that in doing so it caused Firefox itself to no longer trust `addons.mozilla.org` when installing extensions but as I stated before if you already have a malicious extension, the installing of another would be redundant. Lastly there's also the possibility of a uBlock blocklist blocking updates or syncing to Firefox, though I actually doubt this is possible. ## Screeshots - `privacy.trackingprotection.enabled` on the default setting of false on `addons.mozilla.org` This dropdown is the `privacy.trackingprotection.enabled` toggle ![4](https://user-images.githubusercontent.com/30012923/71055351-2e3a6a00-214d-11ea-8a23-f9d79c31cb9e.png) ![1](https://user-images.githubusercontent.com/30012923/71055252-d3087780-214c-11ea-9dc3-84dced7038aa.png) ![2](https://user-images.githubusercontent.com/30012923/71055256-d6036800-214c-11ea-82a6-5d75ceaf2fa3.png) `extensions.webextensions.restrictedDomains` set to default demonstrating why you can't easily notice ![3](https://user-images.githubusercontent.com/30012923/71055326-1d89f400-214d-11ea-8338-6b64b3292d74.png) Showing why DNT auto enables with `privacy.trackingprotection.enabled` true ![5](https://user-images.githubusercontent.com/30012923/71055356-32668780-214d-11ea-874b-5987bddbd0ea.png) ## - Result of `privacy.trackingprotection.enabled` set to true on `addons.mozilla.org` ![6](https://user-images.githubusercontent.com/30012923/71056011-aa35b180-214f-11ea-8c37-df3545506894.png) ![7](https://user-images.githubusercontent.com/30012923/71056080-d5200580-214f-11ea-9378-fd135b3ae3e7.png) Confirming it's gone by setting `extensions.webextensions.restrictedDomains` to empty ![8](https://user-images.githubusercontent.com/30012923/71056119-faad0f00-214f-11ea-8e1a-8e0363d3dbb0.png) ## - Result of empty `extensions.webextensions.restrictedDomains` and false `privacy.trackingprotection.enabled` on `addons.mozilla.org` ![9](https://user-images.githubusercontent.com/30012923/71055800-de5ca280-214e-11ea-87b5-d427ed4e61a6.png) ![10](https://user-images.githubusercontent.com/30012923/71055397-4b6f3880-214d-11ea-839c-7e4c1f8c8e7a.png)

This repo is archived. You cannot comment on issues.