
How Tracking Protection Works in Firefox - ronjouch
http://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
======
hackuser
Thank you François for the explanation. If you are reading this, did you
evaluate various information sources (Ghostery, etc.) before settling on
Disconnect? It would be valuable to everyone to know the results of that
research; users mostly have to trust the various vendors without knowing how
effective they really are.

OT: Does anyone understand why Mozilla publishes valuable information like
this over random personal blogs, rather than a central place like a knowledge
base (e.g., a wiki)? It makes discoverability, both when the information is
published and more importantly when I need it, very difficult.

I know about Planet Mozilla, their aggregated blog feed, but the signal-to-
noise ratio is much too low (which isn't a criticism of the content, I just
don't have time or interest in that much detail about Mozilla).

~~~
Osmose
It's not intentional. Granted, it's not like Mozilla itself decided that
fmarier's blog was the best place to put this, he just posted it because it's
his blog and he's a smart person. :D

It's actually consequence of a few things (including things I'm not aware of),
like:

1\. There is no one team dedicated to writing detailed technical documentation
at the level you're talking about, and it's not required as part of submitting
a patch.

2\. The details about these implementations change often, making it harder to
keep what documentation there is up-to-date.

3\. Firefox is so friggin' big. It'd be a _ton_ of documentation that most
users (read: not developers) wouldn't care about.

We have a wiki, but it's more useful to contributors and staff than it is to
the general public: [https://wiki.mozilla.org](https://wiki.mozilla.org)

We have MDN (which is also basically a wiki), which is more user-facing in
terms of it's content, and it has [https://developer.mozilla.org/en-
US/Firefox/Privacy/Tracking...](https://developer.mozilla.org/en-
US/Firefox/Privacy/Tracking_Protection), but that doesn't go into detail like
this post.

It's tough.

~~~
jacquesm
It's also quite hard to file a bug. I did just that the other day, didn't want
to make an account tried to use my github account, failed at that eventually
did make an account. It's a pretty annoying bar to have to create an account
with some system just to report a bug (which one should be able to do even
anonymously). I understand you're trying your very best and work extremely
hard but these little details all taken together add up to a fragmented and
inconsistent picture which is something I really find a pity because Mozilla
is an absolutely excellent product from a group of extremely capable people.

~~~
fabrice_d
As far as I know, people working on bugzilla have github based login on their
radar. Don't ask me for a roadmap though, but people hanging out in #bmo on
irc.mozilla.org should be able to fill in details.

Fully anonymous login is an open door to way more spam that we want to handle
;)

~~~
jacquesm
The github based login is there but it just doesn't work. I figured it would
be a bit meta to file a bug for a bugracker...

~~~
dylanh
It breaks in the case someone has multiple email addresses associated with
their github account. That bug was fixed and will be out soon. :-)

~~~
jacquesm
Ah, that is exactly the case, I have one for 'business' and one for 'private'
stuff. Thank you for the clarification, it was quite a confusing situation
because you ended up in an endless merry-go-round.

------
aorth
I'm curious how this behaves in relation to blocking third-party cookies via
Settings→Privacy→Accept third-party cookies: Never. I've had this turned on
for a year or so.

Also, I wonder what this would catch that uBlock Origin wouldn't? I assume
that if it's "good enough" then it's probably the better solution to use in
Firefox, especially with the new extension format and multi-process (e10s)
coming eventually in Firefox.

~~~
ronjouch
> _I 'm curious how this behaves in relation to blocking third-party cookies
> via Settings→Privacy→Accept third-party cookies_

It doesn't. The option you mention is about cookies acceptance on a first-
party vs. third-party policy; trackingprotection is about blocking regular
http requests on a blacklist basis.

> _Also, I wonder what this would catch that uBlock Origin wouldn 't? I assume
> that if it's "good enough" then it's probably the better solution to use in
> Firefox, especially with the new extension format and multi-process (e10s)
> coming eventually in Firefox._

I perceive it as exactly this too, a "simple and good enough" solution. Get
uBlock Origin (or any other blocker) if you want the bells and whistles and
more {white/black}list control.

Nit: e10s has no problems with uBlock Origin at all, it's still working within
my e10s-enabled Developer Edition 44.0a2.

~~~
aorth
Ah, you're right about the cookies thing. Regarding uBlock Origin and e10s,
you've never gotten the dialog "uBlock Origin is making Firefox run slowly" or
similar? I believe that's related to e10s...

~~~
ronjouch
In a sense, this feature/dialog is "close" to e10s as it's under the same
umbrella at Mozilla, the "Snappy" [1] effort to work on performance. But it's
not the same:

\- e10s is about making each browser tab an independent process [2]. Some
addons have glitches with it, but uBlock Origin is not one of them.

\- The feature you saw just proactively tells users about addons degrading
performance and help them disable them or adjust their expectations. See [3].
EDIT hmmm, you _are_ right, actually! The bug explicitly mentions the goal to
_" identify add-ons that are causing jank because of their CPOW usage"_, and
CPOW is an e10s thing [4]. TIL, thanks :)

[1]
[https://wiki.mozilla.org/Performance/Snappy](https://wiki.mozilla.org/Performance/Snappy)
[2]
[https://wiki.mozilla.org/Electrolysis](https://wiki.mozilla.org/Electrolysis)
[3]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1071880](https://bugzilla.mozilla.org/show_bug.cgi?id=1071880)
[4] [https://developer.mozilla.org/en-
US/Firefox/Multiprocess_Fir...](https://developer.mozilla.org/en-
US/Firefox/Multiprocess_Firefox/Cross_Process_Object_Wrappers)

------
ForHackernews
This is only enabled in incognito mode? Is there a way to (about:config?) to
switch it on all the time?

~~~
aibara
It's only on in private browsing by default. You can switch it on all the time
by setting privacy.trackingprotection.enabled to true in about:config.

~~~
jokoon
But it's going to break many sites.

------
jarvuschris
Sounds like this will block hosted analytics solutions like Google Analytics,
but the same data is available to the first party site if they roll their own
analytics. In this case you're not really adding any protection for the user,
just disadvantaging smaller publishers in understanding how their site is
being used

~~~
JupiterMoon
I don't understand. You are complaining that this blocks third party tracking
right? This is what it is meant to do.

~~~
StavrosK
Google Analytics uses first-party cookies, though, not third-party.

~~~
throwaway2048
that's meerly a technical detail. It fundamentally represents cross site
tracking harvested by google.

~~~
StavrosK
How is it cross-site if the cookie is first-party?

~~~
kuschku
Something can be third-party, but not cross-site. Google Analytics is one of
those.

~~~
StavrosK
A third party cookie has a specific meaning. Google Analytics issues first
party cookies.

~~~
michaelt
Nobody has mentioned third party cookies except you.

Google analytics loads scripts from and sends results to Google. Those
requests inevitably include IP address and referrer. That's more than enough.

------
anotheryou
so this is really a cross-origin blocker + whitelist.

I wonder if google fonts and jquery CDN and such will get whitelisted. I don't
think they should be, but not doing so will break websites even more than
flash blocked by default.

I have to say if it's called "tracking protection" it leads to a false sense
of security. Browser fingerprinting (and cookies) on the websites you visit
still works. The ad-distributer might no longer track you, but sites still
can.

A first counterattack on this might also be self-hosted tracking scripts that
than push the data to google analytics or the ad-network or whoever demands
that you let them track your users to use their service.

------
jarvuschris
So now when I build a website and want to use a cookieless domain for assets,
my site is going to be broken for Firefox users until I get it blessed by
Mozilla?

~~~
y0ghur7_xxx
no. how do you come to that conclusion?

~~~
jarvuschris
I read the article? The new feature uses a whitelist provided by Mozilla to
determine if a given site is allowed to load an asset from a given external
hostname. Their example makes it seem like twitter gets to be blessed with
being able to continue loading images, but there's no mention of what smaller
publishers need to do to get added to the blessed list

~~~
y0ghur7_xxx
> The new feature uses a whitelist provided by Mozilla to determine if a given
> site is allowed to load an asset from a given external hostname.

It's not a whitelist, but a blacklist of known tracking sites. Your cookieless
domain for assets is not in there.

~~~
jarvuschris
Ahhh I see, so it's like a blacklist paired with a whitelist. I missed that
sites not found on the first list would be unrestricted. Thanks for the
explanation

