> Yes, this is accurate - extensions cannot intercept requests from PDFium. PDFium, in Chrome, is (partially) implemented as a component extension, and extension requests cannot be monitored or manipulated by other extensions. The behavior of protecting component extension requests is critical for security reasons, and we are unlikely to change it.
Ug, not exactly sure what triggers PDFium vs PDF download, but this is especially bad if I could load a PDF in an iframe and get around any of your ad blocking. I also question why it's considered an extension at the user level. Anything installed and enabled by default should be considered part of the core browser and not an extension (regardless of the mechanisms, such as the extension one, they are implemented with). I understand the levels of separation and implementation difficulty fixing this entails, I really do, but the practicalities of your on-by-default PDF renderer making web requests different than a web page is too bad to ignore.
This goes to show that you can not count on extensions to filter web requests in your browser. You must do it at the network level or have a dedicated browser for it (e.g. Tor Browser). Unfortunately it's often extensions that have all the contextual information needed to make the decisions you want.
0 - https://bugs.chromium.org/p/chromium/issues/detail?id=824705...
That web requests in PDF content types are not subject to the same approach as web requests in HTML content types is the problem. Disabling all JS is a blunt instrument akin to telling someone that being able to disable JS for other webpages is as good as more nuanced ad block extension.
No, sorry if I was unclear. What I'm in favor of is my extensions being able to handle/filter web requests on PDFs the same as they do for webpages, irrespective of JS settings. JS is only under discussion here because of the linked commit and I'm saying that's not good enough.
edit to clarify: sorry I thought you thought that fix was trying to fix the bug, but you weren't, so this comment doesn't make much sense.
These days I wonder if the functional equivalent is expanding to include a Slack-bot?
iOS has iMessage.
Instagram and tinder and snapchat all support the basic concept of “mail”.
In fact, I wonder how many apps I have installed that don’t have some concept of an “inbox” or “messages”. Taskrabbit, Uber, GrubHub - all do “mail” in the modern, unfederated sense of the term.
(email started out unfederated, then we got uucp and smtp, now we are back to unfederated, centralized messaging.)
Seems like at least one of them is still going: https://www.seamonkey-project.org
"What if two extensions did this?"
As mentioned in the issue, only a subset of requests made by the component extension should be possible to intercept.
A combination of MIME types on the server and which application the browser is configured to use for a given extension.
> Safari’s Intelligent Tracking Prevention managed to mitigate all third-party cookies to a tracking domain, apart from redirects. However, we found that future completeness can be undermined by having this option disabled for even a short interval. Third-party cookies set in this interval by tracking domains, which otherwise would have been prevented, will still be included in cross-site requests after enabling the option again, identical to the results when the option is disabled. Luckily, this option is enabled by default, so future completeness can only be affected through explicit disabling by the user.
I'd also like to know whether that applies to iOS, but the paper didn't perform any mobile browser testing.
That said, every so often I view my stored cookies and I'm always shocked at the number of domains that I've never heard of that have stashed cookies. :-(
The key thing to remember is that there is no privacy without security. Factually speaking, ChromeOS is far more secure than either Windows or macOS.
This is factually incorrect. You can have privacy without security, and you can have security without privacy. Security keeps things safe, privacy keeps things hidden.
Also, ChromeOS devices ship with a rootkit called the Play Store. There are also hundreds of apps on the play store that install malware on Android devices. You may not need to install an anti-virus, but you may also very easily install what looks like a fun game, and then find your funds being drained from your bank account.
Uh that's not factually incorrect. You can definitely have security without privacy, but not the other way around. Without security that means your privacy can't be protected.
For example, my first iPhone, I didn't have a password (I think -- maybe that was my first ipad). It was insecure, but I'm reasonably sure that everything on there was private (in that more physical sense; I have no idea about internal security of those first generations of iphone/ipad).
A weaker claim that is probably true might be: you cannot guarantee your privacy without security. That you cannot have privacy seems like too strong of a claim?
I do agree with you though. Privacy is having your information to yourself. You don't need security for that, just that everyone else keep their nose to them self. But if you want to guarantee your privacy, you need some form of security.
If I send and receive e-mails with a reporter off the record, we are communicating privately. But the communication may not be strictly confidential, nor secure, unless I take additional steps to ensure it.
If I keep files in my home directory, on my own hard disk, with permissions so only my user can access the files, then my files are private. They are not, however, implicitly secure. Another example: an SSH private key. Without a password on the key, the key is private, but not secure.
(Of course it’s impossible to tell that a system hasn’t been manipulated if it’s insecure and that makes the argument bollocks.)
This seems like a false dichotomy. Safety and being hidden are utterly intertwined—is the act of preventing a request revealing my identity an act of security, or of privacy? It seems like both to me: privacy is effected via security of not performing the request without my consent.
Cookie tracking is like wearing only a towel at the beach. Under the towel, you have privacy. But browsers suck at security, and so many websites can still walk up and yank off your towel, exposing you.
Security would be locking the towel to your body with a padlock. I'm not aware of browsers implementing strong security mechanisms for user data, so I'm pretty sure any privacy gains you get are just another towel.
it's a pedantic point I'll make, but one that's important to articulate: Apple hardware has incredible build quality- and you pay for that. An equivelant build quality Windows laptop will cost roughly the same.
The Entry level Apple MacBook pro 15" is £2,349.00 with:
256GB Storage (m.2 SSD, high speed))
2.2GHz 6-core 8th-generation Intel Core i7 processor
Radeon Pro 555X with 4GB of GDDR5 memory
16GB 2400MHz DDR4 memory
The same spec DELL Precision 5530 is: £2,481.49
256GB M.2 NVMe PCIe SSD Class 40 (Much slower)
Intel Core i7-8850H, Six Core 2.60GHz, 4.30GHz Turbo, 9MB 45W
16GB, 2 DIMMS, DDR4-2666MHz SDRAM, Non-ECC
15.6" Ultrasharp UHD IGZO4, 3840x2160, Touch, w/Prem Panel Guar 100% color gamut, Brushed Onyx
So, more powerful CPU, slower storage and less pixels with a touch screen. -- For the same price.
The issue when comparing price is that it's often Apples (heh) to Oranges, Apple only sell high quality hardware thus the cost to play is higher.
(FWIW they also charge too much for upgrades; but this is just smart business as those who need that much power are willing to pay)
(PS: I actually own a Precision 5520 and I love it; I don't buy into the Apple hype train but I don't buy into the anti-apple hype train either- all systems should be weighed on their merits but my point is that price is often an unfair metric when people talk about laptops due to the abhorrent build quality of most laptops)
I think part of the issue is that you don't have a choice of specs. If PCI-E SSD speeds are enough for you, you don't have a choice to save the money on it. If you want to go for a cheaper 4-core processor with higher clock speeds and put the money into more/better RAM, you can't make that trade-off.
I do agree that macbooks are pretty good value for the components you're getting, but I think unless your view on what you want in your computer matches what Apple will give you then you will end up "wasting" some money on your machine.
On a regular timebase it removes all cookies and databases except my Favorites like HN, Docker, GitHub, Netflix, my newspaper, etc. Works like a charm, set-and-forget.
For most purposes there's little benefit to keeping old cookies hanging around. Just whitelist the sites you want to stay logged in to.
Edit, Haha, sibling comment links to it. Absurdity.
Is that what Safari has? Do any other browsers have plans for this? Or stated plans to NOT do this? I imagine Chrome falls in the latter camp.
i'm referring to the latest safari which tracks 3rd-party cookies and deletes them automatically after 24 hours if you've never sent that cookie as a 1st-party one. thus effectively eliminating tracking, yet allowing sites to work normally without having to temporarily enable various trackers or determine which ones are "safe".
at the same time, google/chrome said they are taking a different approach which still allows tracking. i'm not sure that they said they would NOT CONSIDER implementing a feature like safari's though.
I thought some of them were already doing that by using HSTS flag as a super cookie. (but safari implemented a defense)
I'm currently running chrome with uBlock Origin and uMatrix. uMatrix is a bit of a hassle, but I didn't realize the scope of the threat landscape until I saw the huge number of (potential) trackers called out by almost every site.
"Regarding [who left open the cookie jar]
I was contacted in March by one of the researcher regarding the "behind-the-scene" issues (the "AppCache" and "SW" columns in the tables).
This was fixed in 1.15.20 [...]" https://twitter.com/gorhill/status/1030071494263615489
I believe the only proper step up from your setup would be to switch to browsing exclusively via Tor. Generally smaller browsers that advertise themselves as "privacy-maximizing" make basic mistakes like serving their own user agent - instead of using one of the extremely common user agents. Or at least that was the situation a few years ago.
If nothing else, Firefox isn’t built by a literal advertising company.
* Their built-in tracking protection is also another distinction .
* Ability to modify core settings to improve privacy is also really nice, but not viable for the average user .
* Firefox on android is the only mobile browser that allows you to install add-ons. I'm not talking special mobile-made add-ons. Any add-on that you can install on desktop, you can install on the mobile version. Although usability will definitely vary. uBlock Origin, Privay Badger, Decentraleyes, Cookie AutoDelete - all available on Firefox mobile for android
I'm not going to go as far as saying Firefox deserves your 100% trust. They have definitely made some missteps along the way. However, as far as meaningful distinction, yes I think that is well earned.
Has anyone done this? Is there any literature about it (I didn't find any after a quick look).
Of course that would probably break google analytics, so I don’t expect this on chrome.
With third party cookie policies getting more stringent, many websites now use either a reverse proxy within the first party domain that points to third party servers, or they use a first party subdomain that points to third party servers.
In either case, it allows the servers belonging to the data gatherer to appear as first party, thus getting around third party cookie restrictions.
Combine that with browser fingerprinting, and you now have a harder but very viable way to replace the functionality third party cookies previously had.
This is completely transparent from the outside.
When I hear PMs say "this change will be completely transparent to clients" what they mean is, the client will see no difference, which means really, the details are hidden in a black - opaque - box.
Importantly however; Tech people can claim they are being 'transparent'. To them this can mean no visible difference to the user- and to everyone else means visible/public and available for scrutiny.
So yes, I am sure Zuckerberg is focused on 'transparency'.
But, I'ma guess probably not.
Doesn't transparent mean that the interface stays the same and clients can interact with the system in the same way as before without the need to change their code?
But don't despair - all isn't lost!
You can fix it with sandpaper, after that you'll be able to see the glass and it will become transparent.
Please don't sue me if you don't like the result, however.
Third-party cookies are still included in all requests when enabling the option to block these in Edge.
Oh my God T_T
Looking forward to a blocker that can detect if a script is going to pop up and block that (and it'd be ok to have to whitelist the few sites whose entire funtionality is popup based, like twitter), but I think that's equivalent to solving the halting problem.
Unless you don't allow jerberscript. Which blocks all of them.
It's an eminently defensible descriptive statement; the trend is certainly away from building the web and towards treating the browser as the VM to rule them all. It is not a particularly well-defensible normative statement.
People are going to be pissed when they load up their cart and then follow some bookmark they created for a product on your site to add it to the cart, only to find the cart empty.
Unit testing cookie read/write permissions isn’t “a thing?”
I’m going to say something crazy; At least some of the major browser vendors are violating a warranty with this.
An entirely fake privacy crucial setting?! Obviously they knew and left it there deceptively, because the alternative is even worse.
Words often have multiple, independent meanings.