Polaris breaks addthis.com

RESOLVED WORKSFORME

Status

()

Core
DOM: Security
RESOLVED WORKSFORME
4 years ago
4 years ago

People

(Reporter: sjw, Assigned: mmc)

Tracking

(Blocks: 1 bug, {site-compat})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

4 years ago
If Polaris is enabled, it blocks CSS resources from https://www.addthis.com/. This breaks the whole view of the site.
(Reporter)

Updated

4 years ago
Blocks: 1029886
Keywords: site-compat
Assignee: nobody → mmc
Component: Security → DOM: Security
Monica, do we have a tracker for these sorts of issues?
Flags: needinfo?(mmc)
(In reply to Please do not ask for reviews for a bit [:bz] from comment #1)
> Monica, do we have a tracker for these sorts of issues?

I just made bug 1101005 for tracking bugs like these, or people can file at trackingprotection.info if they prefer.

(In reply to sjw from comment #0)
> If Polaris is enabled, it blocks CSS resources from
> https://www.addthis.com/. This breaks the whole view of the site.

Hi sjw, sorry for the breakage. addthis.com was found to use in HTML canvas fingerprinting back in July. Canvas fingerprinting is widely regarded as one of the worst forms of tracking, because it uses mechanisms that have no opt-out in modern browsers and were intended for an entirely different purpose (better drawing of web pages).

http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block

As a result, it has been added to many blocklists. I believe this is working as intended. If you wish to communicate with addthis.com despite their use of canvas fingerprinting, you can click on the shield icon and select "Disable protection for this site." Please let me know if that doesn't work.

Thanks,
Monica
Blocks: 1101005
No longer blocks: 1029886
Flags: needinfo?(mmc)
Hi sjw,

I haven't heard anything in a while, so I hope that comment 2 resolves this bug satisfactorily.

Thanks,
Monica
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 4

4 years ago
Hi Monica

I do not contact addthis.com because I don't like this company.
I just wonder why the whole page is blocked and not just the canavs.
Hi sjw,

Canvas fingerprinting is just one of many ways to fingerprint the user. Even if we just block canvas, there's still IP address, cookies, etags, and all of the other sources of fingerprint entropy listed in https://panopticlick.eff.org/browser-uniqueness.pdf.

Thanks,
Monica
You need to log in before you can comment on or make changes to this bug.