Closed Bug 1225143 Opened 10 years ago Closed 10 years ago

tracking protection should automatically set DNT

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bkelly, Unassigned)

Details

Currently you can have tracking protection enabled via the pref or private browsing mode, but DNT is not set. This seems like a confusing set of signals to send to the client page. For example, on my blog I do: if (navigator.doNotTrack != "yes") { // google analytics } So when DNT is set, I don't get a tracking protection shield on my site. With default DNT settings however, my site still stupidly tries to load google analytics and I get the tracking protection shield. It seems like we could infer the intent to DNT from tracking protection. If tracking protection is enabled, then navigator.doNotTrack should return "yes".
Component: DOM: Security → Safe Browsing
Product: Core → Toolkit
The problem with this approach is that it would be an easy way for sites to detect that a Firefox user is in Private Browsing (where TP is enabled by default). It's not a perfect signal of course (you can enable TP or DNT in normal mode too), but if you assume that most users rely on the defaults, it's a pretty big signal. Instead, we'll be making a list of DNT-enabled trackers and forcing DNT for those when TP is on, see bug 1258033.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
(In reply to François Marier [:francois] from comment #1) > Instead, we'll be making a list of DNT-enabled trackers and forcing DNT for > those when TP is on, see bug 1258033. How will this address the use case in comment 0 where my own blog site is performing the DNT check? Also, its already trivially easy to detect PB mode. Just try to use IDB or any other storage API and watch it fail.
Flags: needinfo?(francois)
(In reply to Ben Kelly [:bkelly] from comment #2) > How will this address the use case in comment 0 where my own blog site is > performing the DNT check? > > Also, its already trivially easy to detect PB mode. Just try to use IDB or > any other storage API and watch it fail. You're right that there are other ways to detect PB mode. If we tied DNT to TP then it would be even easier and you could passively figure it out just by looking at headers. The real solution here is to get more people to turn on DNT globally or to offer TP in normal mode. The former one isn't going to happen now that the setting has been buried deeper into the preferences, but we are working on the latter. I do realize it's annoying to not know whether or not to load trackers like Google Analytics (and avoid the shield). On my own blog, I actually seek the shield since I use http://blog.aloodo.org/misc/site-request/.
Flags: needinfo?(francois)
You need to log in before you can comment on or make changes to this bug.