-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group related domains together in before spoofing 3rd-party referrers #3194
Comments
currently these are the shields features which have some awareness of 3rd-partiness:
I think for all of these it would make sense to change "1st party" to "either 1st party or in the same entity group as the top-level page" |
Would we rely on Mozilla to maintain those groups, or would we want to depend on |
I'm not sure what "same-site" you're referring to, but last time I checked there was no way to programmatically determine this in a safe way. That might be something that the research team could investigate. I was thinking that we could start by using the same list as Mozilla, potentially adding to it since we block more than just the Disconnect list. |
Maintaining it manually ourselves with help from Mozilla seems like a workable plan, though it may be a bit of work to keep up-to-date. |
Since I wrote a script to parse our
That's almost double the number of entries. Looking at the diff though, it's not just extra entries, there are also properties that are missing from the Mozilla entity list:
and some that are incomplete:
Looking at the Yahoo! ones, here are the resources that are present in the
Looking at one of these, Looking at the properties missing from the Mozilla list, I found that
Bottom line is that while there are differences between our entity list and Mozilla's, some of which make sense and some of which are harder to explain or possibly mistakes, my guess is that we would be better off using their list since it covers a lot more web properties. We could suggest fixes to them if we notice missing entries with a webcompat impact. |
Closing bc we no longer use any such determinations or lists when deciding referrer policy #10825 |
In order to fix a whole class of webcompat issues (e.g. #1356), we could group related domains together when we decide whether or not a request is 3rd-party.
For example,
google.com
andgoogleapis.com
both belong to Google. We're not really "leaking" the referrer if Google can see both requests anyways by virtue of being the recipient in both cases.Mozilla uses a list of entities for a similar purpose in their tracking protection. We could probably reuse that list.
@diracdeltas also suggested using it for some other 3rd-party checks in Shields.
The text was updated successfully, but these errors were encountered: