Extend Content Blocking API to support cryptomining protection experiment

RESOLVED FIXED in Firefox 68

Status

enhancement
P2
normal
RESOLVED FIXED
5 months ago
4 months ago

People

(Reporter: esawin, Assigned: esawin)

Tracking

Trunk
mozilla68

Firefox Tracking Flags

(firefox-esr60 wontfix, firefox65 wontfix, firefox66 wontfix, firefox67 wontfix, firefox68 fixed)

Details

Attachments

(3 attachments)

With bug 1515806 et al, we have added Gecko support for protection against fingerprinting and cryptomining.

We should expose these new options in GeckoView's Content Blocking settings (default off).

Assignee: nobody → esawin
Status: NEW → ASSIGNED

Steven, seeing that content-cryptomining-track-digest256 is not enabled (only base-cryptomining-track-digest256 is) by default when the corresponding prefs are switched in Gecko, what would be the correct/best GeckoView behavior for enabling cryptomining protection settings (see patch)?

We do have dedicated GeckoView anti-tracking settings for the ad, analytics, social and content categories.

E.g., do we want to block content-cryptomining-track-digest256 only if the anti-tracking content-track-digest256 category is also enabled?
Generally, as a user enabling cryptomining protection, I would expect all known cryptomining sources to be blocked, independent from my anti-tracking settings.

Is there a reason not to enable content-cryptomining-track-digest256 when privacy.trackingprotection.cryptomining.enabled is set?

Flags: needinfo?(senglehardt)

Fenix plans to implement extended content blocking UI in M4, so GV needs to provide the extended APIs in M3.

Priority: -- → P1
Whiteboard: [geckoview:fenix:m3]

I'm moving the fingerprinting protection part out of this bug, let's only address the cryptomining protection part here.

Summary: Extend Content Blocking API to support fingerprinting and cryptomining protection → Extend Content Blocking API to support cryptomining protection
Attachment #9047144 - Attachment description: Bug 1530789 - [1.0] Extend Content Blocking API: fingerprinting and cryptomining protection. → Bug 1530789 - [1.0] Extend Content Blocking API: cryptomining protection.

(In reply to Eugen Sawin [:esawin] from comment #2)

Steven, seeing that content-cryptomining-track-digest256 is not enabled (only base-cryptomining-track-digest256 is) by default when the corresponding prefs are switched in Gecko, what would be the correct/best GeckoView behavior for enabling cryptomining protection settings (see patch)?

The "content" version of the cryptomining list is currently unused, as in we don't have any domains on it. In general we've used "content" versions of lists to include domains that are known to cause breakage when blocked. Since we're only just starting to build on this list and experiment with it, we haven't yet had to deal with breakage. I created the content version as a placeholder in the event we find there are some domains we're unable to block.

I suspect we'll only consume the base version of the list in Firefox desktop as we generally take a conservative approach in our content blocking / tracking protection features. What are the norms for geckoview with regards to tolerance for breakage? It looks the content category of the tracking list is also off unless explicitly enabled by the user?

We do have dedicated GeckoView anti-tracking settings for the ad, analytics, social and content categories.

E.g., do we want to block content-cryptomining-track-digest256 only if the anti-tracking content-track-digest256 category is also enabled?
Generally, as a user enabling cryptomining protection, I would expect all known cryptomining sources to be blocked, independent from my anti-tracking settings.

Is there a reason not to enable content-cryptomining-track-digest256 when privacy.trackingprotection.cryptomining.enabled is set?

I agree that you wouldn't want to tie the two together since they are separate features. However you may want to tie the aggressiveness of the two blocking features together. So, rather than having a mode where users opt-in to each individual "content" list, you have an aggressive mode that adds in the domains known to cause breakage for all available features.

Flags: needinfo?(senglehardt)

(In reply to Steven Englehardt [:englehardt] from comment #6)

The "content" version of the cryptomining list is currently unused, as in we don't have any domains on it. In general we've used "content" versions of lists to include domains that are known to cause breakage when blocked. Since we're only just starting to build on this list and experiment with it, we haven't yet had to deal with breakage. I created the content version as a placeholder in the event we find there are some domains we're unable to block.

I suspect we'll only consume the base version of the list in Firefox desktop as we generally take a conservative approach in our content blocking / tracking protection features. What are the norms for geckoview with regards to tolerance for breakage? It looks the content category of the tracking list is also off unless explicitly enabled by the user?

With GeckoView our goal is to expose all effective privacy tools to give app developers a wide range of options. Since GeckoView's "user" is not the end user, our defaults don't have the same significance as it is the case with Firefox defaults.
It is up to the app developer to decide on sensible app defaults and/or which app settings they want to expose to their users.

At the same time, we would like to avoid exposing experimental APIs and settings for API stability.
When exposing a Gecko feature, the main question should not be about defaults, but about its effectiveness and side effects, which need to be properly documented in the API docs.

Since the content blocklist is only a placeholder at this point, I think it's best to remove it from the implementation and revisit extending the API once we have more information on its effects.

On a general note, do you think that exposing the cryptomining setting (with the base list) is a good idea at this point, do we have any data on the effects of the new blocklist?

Flags: needinfo?(senglehardt)

(In reply to Eugen Sawin [:esawin] from comment #7)

Since the content blocklist is only a placeholder at this point, I think it's best to remove it from the implementation and revisit extending the API once we have more information on its effects.

On a general note, do you think that exposing the cryptomining setting (with the base list) is a good idea at this point, do we have any data on the effects of the new blocklist?

Once https://github.com/mozilla-services/shavar-prod-lists/pull/56 is merged into the lists we'll have a reasonable set of domains on the base list, but it is definitely an experimental feature. We do not yet have any data on the breakage associated with the new list. That will be tested in Bug 1530080. Maybe it makes sense to re-visit this once those studies have run?

Flags: needinfo?(senglehardt)

Eugen says this is a Nightly experiment and doesn't need to block Fenix MVP.

Priority: P1 → P2
Summary: Extend Content Blocking API to support cryptomining protection → Extend Content Blocking API to support cryptomining protection experiment
Whiteboard: [geckoview:fenix:m3]
Pushed by esawin@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3f03780957a4
[1.0] Extend Content Blocking API: cryptomining protection. r=geckoview-reviewers,dimi,snorp,Ehsan
https://hg.mozilla.org/integration/autoland/rev/2038ef43f89a
[2.0] Initialize the SafeBrowsing module only in the parent process. r=dimi
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Backed out 2 changesets (Bug 1530789) for linting failures on Android

Failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=usercancel%2Ctestfailed%2Cbusted%2Cexception&group_state=expanded&revision=2038ef43f89a216d0dbf16611566941501a5c074&selectedJob=235584242

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=235584242&repo=autoland&lineNumber=2851

[task 2019-03-22T23:23:48.223Z] 23:23:48 INFO - > Task :geckoview:apiLintHelpWithGeckoBinariesDebug
[task 2019-03-22T23:23:48.223Z] 23:23:48 INFO - The API has been modified. If the changes look correct, please run
[task 2019-03-22T23:23:48.224Z] 23:23:48 INFO - $ ./gradlew apiUpdateFileWithGeckoBinariesDebug
[task 2019-03-22T23:23:48.224Z] 23:23:48 INFO - to update the API file.
[task 2019-03-22T23:23:48.224Z] 23:23:48 INFO - FAILURE: Build failed with an exception.
[task 2019-03-22T23:23:48.224Z] 23:23:48 INFO - * What went wrong:
[task 2019-03-22T23:23:48.224Z] 23:23:48 INFO - Execution failed for task ':geckoview:apiCompatLintWithGeckoBinariesDebug'.
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - > Process 'command 'python'' finished with non-zero exit value 131
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - * Try:
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - * Get more help at https://help.gradle.org
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - Deprecated Gradle features were used in this build, making it incompatible with Gradle 5.0.
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - Use '--warning-mode all' to show the individual deprecation warnings.
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - See https://docs.gradle.org/4.10.2/userguide/command_line_interface.html#sec:command_line_warnings
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - BUILD FAILED in 12s
[task 2019-03-22T23:23:48.225Z] 23:23:48 INFO - 18 actionable tasks: 5 executed, 13 up-to-date
[task 2019-03-22T23:23:48.750Z] 23:23:48 INFO - SUITE-START | android-api-lint
[task 2019-03-22T23:23:48.750Z] 23:23:48 INFO - TEST-UNEXPECTED-FAIL | field public static final int AT_ALL = 62 | Field removed or incompatible change
[task 2019-03-22T23:23:48.750Z] 23:23:48 INFO - TEST-UNEXPECTED-FAIL | org.mozilla.geckoview.ContentBlocking | Unexpected api change
[task 2019-03-22T23:23:48.750Z] 23:23:48 INFO - SUITE-END | android-api-lint
[task 2019-03-22T23:23:48.768Z] 23:23:48 ERROR - Return code: 1
[task 2019-03-22T23:23:48.768Z] 23:23:48 ERROR - 1 not in success codes: [0]
[task 2019-03-22T23:23:48.768Z] 23:23:48 WARNING - setting return code to 2
[task 2019-03-22T23:23:48.768Z] 23:23:48 FATAL - Halting on failure while running ['/usr/bin/python2.7', 'mach', '--log-no-times', 'android', 'api-lint']
[task 2019-03-22T23:23:48.768Z] 23:23:48 FATAL - Running post_fatal callback...
[task 2019-03-22T23:23:48.768Z] 23:23:48 FATAL - Exiting 2
[task 2019-03-22T23:23:48.768Z] 23:23:48 INFO - [mozharness: 2019-03-22 23:23:48.768901Z] Finished build step (failed)
[task 2019-03-22T23:23:48.769Z] 23:23:48 INFO - Running post-run listener: _parse_build_tests_ccov
[task 2019-03-22T23:23:48.769Z] 23:23:48 INFO - Running post-run listener: _shutdown_sccache
[task 2019-03-22T23:23:48.769Z] 23:23:48 INFO - Running post-run listener: _summarize
[task 2019-03-22T23:23:48.769Z] 23:23:48 ERROR - # TBPL FAILURE #
[task 2019-03-22T23:23:48.769Z] 23:23:48 INFO - [mozharness: 2019-03-22 23:23:48.769325Z] FxDesktopBuild summary:
[task 2019-03-22T23:23:48.769Z] 23:23:48 ERROR - # TBPL FAILURE #
[taskcluster 2019-03-22 23:23:49.123Z] === Task Finished ===
[taskcluster 2019-03-22 23:23:49.969Z] Unsuccessful task run with exit code: 2 completed in 438.373 seconds

Flags: needinfo?(esawin)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Backout by shindli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/943d6c6e99b3
Backed out 2 changesets for linting failures on Android
Target Milestone: mozilla68 → ---
Pushed by esawin@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ef01c3d7432c
[1.2] Extend Content Blocking API: cryptomining protection. r=geckoview-reviewers,dimi,snorp,Ehsan
https://hg.mozilla.org/integration/mozilla-inbound/rev/0e0a7a15a412
[2.0] Initialize the SafeBrowsing module only in the parent process. r=dimi
https://hg.mozilla.org/integration/mozilla-inbound/rev/ec073adab20e
[3.0] Update API changelog. r=agi
Flags: needinfo?(esawin)

67=wontfix because these new blocklist categories are experimental and not needed for Fenix MVP.

You need to log in before you can comment on or make changes to this bug.