📝 Correction | privacy.trackingprotection.enabled makes the browser send the DNT header #2414
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#2414
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
I have noticed that setting
privacy.trackingprotection.enabled
totrue
makes the browser send DNT to every website. While this was theoretically a nice improvement when it was created, now it's not used by almost any website and insted helps tracking a lot, since very few browsers send this header.Why I am making the suggestion
This feature is counterproductive to users' privacy
My connection with the software
I use firefox daily and I noticed the header sent to every website
I don't see the issue. Most users will have tracking protection and DNT enabled by now.
They don't, most browsers don't have it enabled by default, including chrome, ungoogled-chromium, firefox, brave and bromite. Which means that only the few that enabled it manually are actually sending DNT, which makes fingerprinting much easier. And websites simply don't respect the DNT header, which is why it's being deprecated
Can you please set ETP to Strict (without setting DNT to always) and test if the header is sent? PTIO is moving in the direction of just setting ETP to strict without tweaking from about:config. And it would be interesting to know if then DNT is sent.
It's true, most browsers don't send DNT by default (only librewolf does that AFAIK, which is a really bad idea. But again, who cares)
Yeah, setting ETP to Strict both firefox desktop and mobile send DNT. Using every other tweak privacytools suggests except
privacy.trackingprotection.enabled
firefox doesn't send DNTYeah so you will be in the pool of all people that have strict mode on. As long as you do not modify anything else I do not see the issue. I think Firefox purposefully does this so that more people with have DNT and therefore you won't stand out.
Exactly, you'll be in the small pool of people who use firefox, and in that pool you will be in the section of those who set strict ETP on. That's excactly why it makes fingerprinting easier. And since nobody uses it for its purpose, it can be used to target those who care for their privacy, so they can advertise VPNs and tech-related stuff