-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
the open cookie jar [1447935, 1433700, 1207775: resolved since at least 76 except websockets] #489
Comments
Notes / observations: from https://wholeftopenthecookiejar.eu/ Edge (included because ... WTF?!!#&@# .. seriously? No QA team I guess: "Enabling the option to block third-party cookies in Edge has no effect" - that's a bit of big hole FF: https://bugzilla.mozilla.org/show_bug.cgi?id=1447935 [Access Denied for now] - Various mechanisms can be leveraged to bypass Firefox Tracking Protection. This way, cross-site requests directed at blacklisted domains can be sent while this countermeasurement is enabled FF: https://bugzilla.mozilla.org/show_bug.cgi?id=1447933 [WONTFIX] - It is difficult for extension developers to distinguish requests initiated by browsers background processes from requests initiated by websites. FF: https://bugzilla.mozilla.org/show_bug.cgi?id=1433700 -> https://bugzilla.mozilla.org/show_bug.cgi?id=1453751 [Fixed in FF63 I think] - Requests to fetch the favicon are not interceptable by Firefox extensions |
I also wanted to make a post about this but you beat me to it :) It's nice to see that Gecko-based browser did far better than the rest (at least for the most part). Good job mozilla! I mean we already knew that or we wouldn't be using FF in the 1st place but it's nice to see it confirmed once again. One problem in FF and other Gecko-based browsers was this:
This is bad because apparently it can leak cookies and could also be abused for tracking fe with ETAGs. But the good news is that this issue was (allegedly) fixed in FF63. Probably worth checking if that's really the case. Another problem they also mentioned is that extensions are prohibited from seeing requests from other extensions. I was already aware of that and it's one the things that bugs me the most with the current WE-APIs. Hopefully they'll change that behavior sooner rather than later but I won't hold my breath :( |
For extensions devs of privacy/security-related addons there's this important note if they want to make sure they'll catch everything:
|
🥇 👍
👍 👍 although for 3rd-party cookie blocking FF still lacks (/leaks ?) in Redirects: But if FF is used with uBO their Table 2 shows that Redirects makes "no request". |
Tracking Protection unfortunately failed miserably! An easy fix for most of the problems would be to block 3rd-party cookies/site-date when TP is enabled. @fmarier is there anything you're allowed to tell us in regards to what you and your guys make of these results and maybe plans to fix those issues? I'd love to hear some insights! |
No. According to the tests you can execute from their site, uBO would fail the "Redirects" category. However, I think they may have run the test differently on their side. This is how they describe the "Redirect" category:
On their site, the tests use EasyList's That's the only explanation I can come up to explain why uBO was deemed as having passed the "Redirect" category. If you wanted to get a similar behavior in other blockers, you would be unable as far as I know. Edit: From what I see in their framework source, "Redirect" category was tested using |
^^ so the uBO pass mark was a false positive? |
Not a false positive, a deserved pass mark -- see for yourself and try to navigate to |
it sounds like Redirects can be problematic depending on how a site uses it, and you said this yourself:
I'd say the 1st line of defense is to enable 3rd-party cookie blocking in FF because that will stop everything in these tests except Redirects. Add uBO to that and Redirects should be covered in some or most cases. But it's not 100%, right? |
Well if a tracking server is not in one of the lists then uBO's strict-blocking won't kick in. |
This is why I've been pining for a web ext of NoRedirect - earthlng, what was the bugzilla for that API you needed, the one with crickets and tumbleweeds - maybe with this report we can push to get it done Is this it: https://bugzilla.mozilla.org/show_bug.cgi?id=1352653 ? Would this allow you to build a web ext NoRedirect? |
Our plan is to fix the existing bypasses and then flip the default so that all requests go through TP unless specifically exempted (e.g. Firefox update). The details are in https://bugzilla.mozilla.org/show_bug.cgi?id=1207775. |
Hm - I'm not sure that I understand. The Strict Blocking wiki site says that "uBO will block the web page served by a server found in one of the malware list". But a tracking server is usually not on a malware list - so how could it trigger strict blocking? I'm confused. Or is that wiki site not up-to-date? |
Any domain that is blocked using |
FYI:
Note: (in our user.js)
|
What is the right config for uBO?
How do you lock down all persistent storage? |
Nothing for you to do. Just config uBO however you like.
Cookies control cookies, localStorage and IDB - and I block all cookies by default. appCache is disabled. SW's are disabled (and "web workers" in uMatrix is default block). And I clean on close, which most likely clears other shit, like cache, sw cache (if I had any), and other things |
updated OP |
May-25-2020: update from the researcher:
This issue is really just for myself, and FYI - I'll fix the title one day when I get the time to read the docs etc and understand what is going on
Discussions
I had a quick skim of the reddit link and article last night, and
My assumption has always been that any persistent storage of website data can and will be used against you. Hence why the default user.js essentially blocked everything (until recently where we allowed first party cookies). Anyway, that's all for now
PS: I do not care about ABP, Disconnect, SafeScript etc, I only care about uM, uBO (and Firefox)
@gorhill Thanks, feel free to chime in if and when you have time (and feel it necessary), just don't like talking behind yer back :)
The text was updated successfully, but these errors were encountered: