Summary: We are expanding the set of resources blocked by Content Blocking to include domains found to participate in cryptomining and fingerprinting. Cryptomining has a significant impact on a device’s resources [0], and the scripts are almost exclusively deployed without notice to the user [1]. Fingerprinting has long been used to track users, and is in violation our anti-tracking policy [2].
In support of this, we’ve worked with Disconnect to introduce two new categories of resources to their list: cryptominers [3] and fingerprinters [4]. As of Firefox 67, we have exposed options to block these categories of domains under the “Custom” section of the Content Blocking in about:preferences#privacy. We are actively working with Disconnect to discover new domains that participate in these practices, and expect the lists to grow over time. A full description of the lists is given here [5]. Bugs: Implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1513159 Breakage: Cryptomining: https://bugzilla.mozilla.org/show_bug.cgi?id=1527015 Fingerprinting: https://bugzilla.mozilla.org/show_bug.cgi?id=1527013 We plan to test the impact of blocking these categories during the Firefox 67 release cycle [6][7]. We are currently targeting Firefox 69 to block both categories by default, however this may change depending on the results of our user studies. To further field test the new lists, we expect to enable the blocking of both categories by default in Nightly within the coming month. If you do discover breakage related to this feature, we ask that you report it in one of the cryptomining or fingerprinting blocking breakage bugs above. Link to standard: These are additions to Content Blocking/Tracking Protection which is not a feature we've standardized. Platform coverage: Desktop for now. It is being considered for geckoview: ( https://bugzilla.mozilla.org/show_bug.cgi?id=1530789) but is on hold until the feature is more thoroughly tested. Estimated release: Disabled by default and available for testing in Firefox 67. We expect to ship this on by default in a future release, pending user testing results. An intent to ship will be sent later. Preferences: * privacy.trackingprotection.fingerprinting.enabled - controls whether fingerprinting blocking is enabled * privacy.trackingprotection.cryptomining.enabled - controls whether cryptomining blocking is enabled These can also be enabled using the checkboxes under the Custom section of Content Blocking in about:preferences#privacy for Firefox 67+. Is this feature enabled by default in sandboxed iframes?: Blocking applies to all resources, regardless of their source. DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1537627 When blocking of either category is enabled, any blocked resources will be logged to the console with the following message: `The resource at “ example.com” was blocked because content blocking is enabled.` Do other browser engines implement this? Opera and Brave block cryptominers using the no-coin cryptomining list [8][9]. The cryptomining list supplied by Disconnect is, in part, created by matching web crawl data against no-coin and other crowdsourced lists. No other browsers currently block the fingerprinting list, as we are working with Disconnect to build it for this feature. However, many of the domains on the fingerprinting list are likely to appear on other crowdsourced adblocking lists. Web-platform-tests: Since content blocking is not a standardized feature, there are no wpts. Is this feature restricted to secure contexts? No. Users benefit from blocking in all contexts. [0] https://arxiv.org/pdf/1806.01994.pdf [1] https://nikita.ca/papers/outguard-www19.pdf [2] https://wiki.mozilla.org/Security/Anti_tracking_policy [3] https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9537 [4] https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9316 [5] https://wiki.mozilla.org/Security/Tracking_protection#Lists [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1533778 [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1530080 [8] https://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/ [9] https://github.com/brave/adblock-lists/blob/master/coin-miners.txt _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
