Closed Bug 1544159 Opened 6 years ago Closed 6 years ago

Anti-fingerprinting and tracking protection break tinymce.com embeds

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: francois, Assigned: englehardt)

References

(Blocks 2 open bugs)

Details

Now that tinymce.com is blocked by Disconnect:

https://github.com/disconnectme/disconnect-tracking-protection/blob/master/descriptions.md#TinyCloud

any site which embeds their HTML editor will have that functionality broken.

Here's a test page which demonstrates the problem:

https://fmarier.github.io/brave-testing/tinymce.html

Blocks: tp-breakage

This domain is on both the analytics list and the fingerprinting base list, meaning it will also be broken with tracking protection.

Summary: Anti-fingerprinting list breaks tinymce.com embeds → Anti-fingerprinting and tracking protection break tinymce.com embeds

This is very bad. Tinymce is a very heavily-used library.

It is widely used from a self-hosted standpoint, but I wonder how popular this hosted service is.

Also, they're sending the output of fingerprintjs2 back to their server: https://github.com/disconnectme/disconnect-tracking-protection/blob/master/descriptions.md#TinyCloud

so they definitely belong in this category.

(In reply to François Marier [:francois] from comment #3)

It is widely used from a self-hosted standpoint, but I wonder how popular this hosted service is.

Yeah, me too. At least 1500 sites turn up with a quick and dirty search here: https://publicwww.com/websites/%22cloud.tinymce.com%22/ but none of them are super popular...

Also, they're sending the output of fingerprintjs2 back to their server: https://github.com/disconnectme/disconnect-tracking-protection/blob/master/descriptions.md#TinyCloud

so they definitely belong in this category.

No doubt about that, but I wonder if we can employ a more careful scalpel here. Are we trying to prevent the JS code to compute a fingerprint, or to prevent the transmission of this fingerprint to the remote server? Given the fact that fmarier.github.io doesn't leave a cookie jar in my browser we can be sure that the identifier isn't stored locally. The identifier for me is sent to this URL:

https://sp.tinymce.com/i?aid=FINGERPRINT1&tna=tinymce_cloud&p=web&dtm=1555538073222&stm=1555538074793&tz=America%2FMYCITY&e=se&se_ca=script_load&eid=UUID&fp=FINGERPRINT2&tv=js-2.6.1

I wonder if we can suggest to Disconnect to only put sp.tinymce.com on the analytics/fingerprinting list and leave the rest of tinymce.com alone? Is that a good way to address this?

Flags: needinfo?(senglehardt)

Alternatively, could we reach out to TinyMCE to ask them why they're doing this?

just x-posted a issue on the tinymce github repository:

https://github.com/tinymce/tinymce/issues/4953

(In reply to :Ehsan Akhgari from comment #4)

https://sp.tinymce.com/i?aid=FINGERPRINT1&tna=tinymce_cloud&p=web&dtm=1555538073222&stm=1555538074793&tz=America%2FMYCITY&e=se&se_ca=script_load&eid=UUID&fp=FINGERPRINT2&tv=js-2.6.1

I wonder if we can suggest to Disconnect to only put sp.tinymce.com on the analytics/fingerprinting list and leave the rest of tinymce.com alone? Is that a good way to address this?

This is an option. Disconnect has added endpoint domains to their list when the fingerprinting script is served from a CDN. Do we know if the sp.tinymce.com domain is used for any other than as a tracking endpoint?

Flags: needinfo?(senglehardt)

(In reply to Steven Englehardt [:englehardt] from comment #8)

(In reply to :Ehsan Akhgari from comment #4)

https://sp.tinymce.com/i?aid=FINGERPRINT1&tna=tinymce_cloud&p=web&dtm=1555538073222&stm=1555538074793&tz=America%2FMYCITY&e=se&se_ca=script_load&eid=UUID&fp=FINGERPRINT2&tv=js-2.6.1

I wonder if we can suggest to Disconnect to only put sp.tinymce.com on the analytics/fingerprinting list and leave the rest of tinymce.com alone? Is that a good way to address this?

This is an option. Disconnect has added endpoint domains to their list when the fingerprinting script is served from a CDN. Do we know if the sp.tinymce.com domain is used for any other than as a tracking endpoint?

I don't have that info.

We will be removing the fingerprint js from our cloud shortly, it is used to track usage of our premium cloud offerings, but we will change the metrics used for that.

(In reply to joakim.lindkvist from comment #10)

We will be removing the fingerprint js from our cloud shortly, it is used to track usage of our premium cloud offerings, but we will change the metrics used for that.

Thanks a lot for getting in touch and confirming this!

(In reply to joakim.lindkvist from comment #10)

We will be removing the fingerprint js from our cloud shortly, it is used to track usage of our premium cloud offerings, but we will change the metrics used for that.

Please follow-up on this bug once you're ready and we'll forward the info to Disconnect. Thanks again for getting in touch.

The fp2 js payload is removed from all scripts loaded from our CDN/Cloud and the fp value is hard coded to "none".

Example:
https://sp.tinymce.com/i?aid=APIKEYtna=tinymce_cloud&p=web&dtm=1556515047567&stm=1556515047567&tz=Europe/Stockholm&e=se&se_ca=init&eid=EVENT_UUID&fp=none&tv=js-2.6.1

Will you fwd this to Disconnect.me or should we approach them?

Flags: needinfo?(senglehardt)

Thanks for the quick update! I filed https://github.com/disconnectme/disconnect-tracking-protection/issues/76 to request a re-review with Disconnect. I'll keep this open for now until we merge their list changes.

Assignee: nobody → senglehardt
Flags: needinfo?(senglehardt)
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

(In reply to Steven Englehardt [:englehardt] from comment #14)

I'll keep this open for now until we merge their list changes.

Sorry to bother you, but nearly a month has gone by and two duplicates have been filed in the last few days.

Flags: needinfo?(senglehardt)

Fixed in https://github.com/mozilla-services/shavar-prod-lists/pull/65. I verified the Fix using Francois' test page.

Flags: needinfo?(senglehardt)
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.