Open Bug 1480562 Opened 6 years ago Updated 4 months ago

Add coin / cryptocurrency mining protection

Categories

(Firefox :: Protections UI, enhancement, P3)

Product:
Firefox
Component:
Protections UI
Type:
enhancement

Tracking

()

People

(Reporter: jhirsch, Unassigned)

References

Details

Some websites are testing out coin mining as an alternative to ad-based revenue generation[1][2]. Users should be able to decide whether or not to let a particular site use their compute power and electricity, just as users are already able to decide whether or not to expose other monetizable resources (like third-party tracking scripts / ad scripts, or geolocation).

There are some coin mining blockers already on AMO. The most popular one, No Coin, uses a blocklist[3]. However, discussion elsewhere [4] indicates that domain blocking alone may not work, since some mining implementations use random domains to load the JS.

Another, more abusive variant is that some sites use a tiny pop-under to try to persistently mine coins, even after the user leaves the site[5].


[1] https://www.engadget.com/2017/12/15/as-online-ads-fail-sites-mine-cryptocurrency/
[2] https://www.salon.com/about/faq-what-happens-when-i-choose-to-suppress-ads-on-salon/
[3] https://github.com/keraf/NoCoin/blob/1e9454090b5a4c0154d6e74a32a6c864361006b2/src/js/background.js#L180
[4] https://github.com/jspenguin2017/uBlockProtector/issues/636#issuecomment-334321820
[5] https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/
It's most likely that we will add protections against mining, but in form of a blocklist first (in which case it would be part of the "content blocking" umbrella and not use a permission prompt). Does that sound sufficient for resolving this bug or are you specifically interested in showing a doorhanger to users (and/or potentially blocking based on heuristics)?
Flags: needinfo?(jhirsch)
> Does that sound sufficient for resolving this bug or are you specifically interested in showing a doorhanger to users (and/or potentially blocking based on heuristics)?

Feel free to handle the suggestions in this bug however you'd like :-)

I will point out that domain blocking is fairly easy to subvert via proxies or self-hosted mining scripts, while heuristics like setting a crypto API budget or CPU budget (bug 1403109) per page / per domain would be hard to avoid. I could definitely see a variation on the slow-running script warning for such cases, which might well fall under the 'content blocking' umbrella.
Flags: needinfo?(jhirsch)
Component: Device Permissions → Tracking Protection
Priority: -- → P3
Summary: add a coin / cryptocurrency mining permission → Add coin / cryptocurrency mining protection
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.