Closed Bug 1298207 Opened 3 years ago Closed 3 years ago

[meta] Investigate using the Tracking Protection list to sandbox trackers instead of block

Categories

(Firefox :: Protections UI, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: englehardt, Assigned: englehardt)

References

Details

Attachments

(2 files)

During my internship I investigated whether or not we could use the tracking protection list to sandbox tracking resources instead of block them. We considered the following 4 approaches:

1. Allow all requests; strip cookies
2. Allow all requests; strip cookies and sandbox tracking iframes
3. Block active content embedded in the first-party context; sandbox tracking iframes
4. Sandbox active content embedded in the first-party context; sandbox tracking iframes

We determined each of these solutions to either provide an insufficient privacy improvement, to continue to cause too much breakage, or to be infeasible to implement and support. The analysis results of this research and well as a prototype patch will added in follow up comments.
Blocks: 1029886
Depends on: 1280412
Blocks: 1280412
No longer depends on: 1280412
Prototype patch for configuration (3) detailed above. This has the basic functionality of applying different sandbox options depending on the content type of a request. Note that this patch does have a few bugs and the sandboxing applied is simply a few iframe sandbox flags. The purpose of this prototype is to test compatibility with different script embedding practices.

With minor changes this patch can implement (1) and (2). A prototype implementation of (4) requires significantly more engineering.
The analysis of options 1 - 4 is available in the following document: https://docs.google.com/document/d/1TxKCWn0qTgo0hnsKQINka-Jhm69nlbjbClgVWUHt22Y/edit
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Exporting the Google Docs to a PDF to ensure it doesn't get lost.
You need to log in before you can comment on or make changes to this bug.