Why are these sites not included in the "safe browsing" service that is used by most browsers? That way, everyone would be protected.
On Thu, Mar 21, 2019 at 2:59 PM Steven Englehardt <sengleha...@mozilla.com> wrote: > Summary: > We are expanding the set of resources blocked by Content Blocking to > include domains found to participate in cryptomining and fingerprinting. > Cryptomining has a significant impact on a device’s resources [0], and the > scripts are almost exclusively deployed without notice to the user [1]. > Fingerprinting has long been used to track users, and is in violation our > anti-tracking policy [2]. > > In support of this, we’ve worked with Disconnect to introduce two new > categories of resources to their list: cryptominers [3] and fingerprinters > [4]. As of Firefox 67, we have exposed options to block these categories of > domains under the “Custom” section of the Content Blocking in > about:preferences#privacy. We are actively working with Disconnect to > discover new domains that participate in these practices, and expect the > lists to grow over time. A full description of the lists is given here [5]. > > Bugs: > Implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1513159 > Breakage: > Cryptomining: https://bugzilla.mozilla.org/show_bug.cgi?id=1527015 > Fingerprinting: https://bugzilla.mozilla.org/show_bug.cgi?id=1527013 > > We plan to test the impact of blocking these categories during the Firefox > 67 release cycle [6][7]. We are currently targeting Firefox 69 to block > both categories by default, however this may change depending on the > results of our user studies. > > To further field test the new lists, we expect to enable the blocking of > both categories by default in Nightly within the coming month. If you do > discover breakage related to this feature, we ask that you report it in one > of the cryptomining or fingerprinting blocking breakage bugs above. > > Link to standard: These are additions to Content Blocking/Tracking > Protection which is not a feature we've standardized. > > Platform coverage: > Desktop for now. It is being considered for geckoview: ( > https://bugzilla.mozilla.org/show_bug.cgi?id=1530789) but is on hold until > the feature is more thoroughly tested. > > Estimated release: > Disabled by default and available for testing in Firefox 67. We expect to > ship this on by default in a future release, pending user testing results. > An intent to ship will be sent later. > > Preferences: > * privacy.trackingprotection.fingerprinting.enabled - controls whether > fingerprinting blocking is enabled > * privacy.trackingprotection.cryptomining.enabled - controls whether > cryptomining blocking is enabled > > These can also be enabled using the checkboxes under the Custom section of > Content Blocking in about:preferences#privacy for Firefox 67+. > > Is this feature enabled by default in sandboxed iframes?: Blocking applies > to all resources, regardless of their source. > > DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1537627 > When blocking of either category is enabled, any blocked resources will be > logged to the console with the following message: `The resource at “ > example.com” was blocked because content blocking is enabled.` > > Do other browser engines implement this? > Opera and Brave block cryptominers using the no-coin cryptomining list > [8][9]. The cryptomining list supplied by Disconnect is, in part, created > by matching web crawl data against no-coin and other crowdsourced lists. > No other browsers currently block the fingerprinting list, as we are > working with Disconnect to build it for this feature. However, many of the > domains on the fingerprinting list are likely to appear on other > crowdsourced adblocking lists. > > Web-platform-tests: Since content blocking is not a standardized feature, > there are no wpts. > > Is this feature restricted to secure contexts? No. Users benefit from > blocking in all contexts. > > [0] https://arxiv.org/pdf/1806.01994.pdf > [1] https://nikita.ca/papers/outguard-www19.pdf > [2] https://wiki.mozilla.org/Security/Anti_tracking_policy > [3] > > https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9537 > [4] > > https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9316 > [5] https://wiki.mozilla.org/Security/Tracking_protection#Lists > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1533778 > [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1530080 > [8] > > https://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/ > [9] https://github.com/brave/adblock-lists/blob/master/coin-miners.txt > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
