permissions.default.image=3 fails to prevent third-party images from loading in Firefox 78
Categories
(Core :: Permission Manager, defect)
Tracking
()
People
(Reporter: local10, Unassigned)
References
(Regression)
Details
(Keywords: regression)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
- Set permissions.default.image=3, it should prevent third-party images from loading, at least that's how it worked in Firefox 68.
- Goto any website that uses third-party images, for example, http://www.kitcosilver.com/ .
- You will see that third-party images are loaded by Firefox 78, despite the permissions.default.image=3 setting that should have prevented third-party images from loading.
http://www.kitconet.com/charts/metals/silver/ag_go_0030_ny.gif
Actual results:
Third-party images are loaded and shown by Firefox 78, despite the permissions.default.image=3 setting that should have prevented third-party images from loading.
Expected results:
Third-party images should not have been loaded by Firefox 78, when permissions.default.image=3. That's how it worked in Firefox 68 and before Firefox 68.
|
||
Comment 1•4 years ago
|
||
I can confirm this issue, reproduced it on Mac OS X 10.15 using Firefox 78.3.1 esr, Firefox 81.0.1, Firefox 82 beta 7, and the latest Nightly 83.0a1.
I managed to find a regression range, here are the results:
- last good build: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=650e79c79f043a9103de7a79137b83dbf578fe7f&tochange=b76cec570edf11c26990453d351a98901061953d
- firs bad build: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=650e79c79f043a9103de7a79137b83dbf578fe7f&tochange=8698df283c0c3a0544b7bcf47c6fdb6f78b9f8fc
Found commit message:
Bug 1597541 - Added pref and disabled nsContentBlocker by default. r=Ehsan
|
||
Comment 2•4 years ago
|
||
We've removed nsContentBlocker in Bug 1357107. The permission.default.image pref only supports accept=1 and deny=2 and is handled by the ImageBlocker class: https://searchfox.org/mozilla-central/rev/4352fb7b0d17c1febff9569ed311e0e42c93093e/image/ImageBlocker.cpp#36-44
| Comment hidden (abuse-reviewed) |
|
||
Comment 4•4 years ago
|
||
Your comment is uninformed, derogatory and clearly violating our comment etiquette, so I would normally not respond to this but I don't want to let you have the last word trash-talking Paul's excellent work.
(In reply to Loc Al 10 from comment #3)
We've removed nsContentBlocker in Bug 1357107. The permission.default.image pref only supports accept=1 and deny=2
Thanks, Firefox devs! Yet another great decision by your highly talented team!
If you read bug 1357107 you will indeed note that several highly experienced Firefox engineers agreed that removing native content blocking had great technical advantages, including a performance boost for the 99.6% of users who have never used the feature with any of the options.
Initially I was upset because I didn't see the wisdom of your decision right away but then it dawned on me: Obviously, when choosing between adding another social media craplet or keeping this old FF feature that was there for many many years something has got to give. And who the hell wants to block third party images anyway? Especially when those third party images may come from carefully selected, trusted and well-paying partners of Mozilla Corp!
I think "who the hell wants to block third party images" is a very valid question. What exactly is your threat model solved by blocking only third party images? There are more content types than images and large images can also come from a first party...
Further, a lot of content on the web nowadays is hosted from a variety of sources such as CDNs. I'm not sure how you deal with the resulting breakage, do you just flip the pref on and off? You really need a management UI for those prefs. There are good add-ons for this kind of task that have this kind of UI.
I would strongly advise you to use uMatrix which gives you an advanced management UI for blocking all kinds of content, not just images, with the ability to allow-list individual sites. It's literally a few minutes of effort to recreate what you had before.
Good luck, I'm sure these kind of decisions will keep FF market share growing for many years to come!
If you look at the dependency list of bug 1357107 you will note that since we made this change 9 months ago literally no one has come to file a bug about third party images so far (some complained about blocking images not working which is why we fixed it). On the flip side, this change is guaranteed to bring a performance improvement (with varying degree of impact depending on permissions DB lookup speed) for literally all Firefox users.
To emphasize again, we're not even talking about weighing advanced users vs. common users' interests here, advanced users had the sense to use add-ons for this for a long time. This change benefits everyone.
|
||
Updated•4 years ago
|
|
|
||
Comment 5•4 years ago
|
||
I thought this was wontfixed already, let me do that now.
Your comment is uninformed, derogatory and clearly violating our comment etiquette
You are just attacking the messenger because you don't like the message. The arguments you present to support your position are weak, for example:
If you read bug 1357107 you will indeed note that several highly experienced Firefox engineers agreed that removing native content blocking had great technical advantages, including a performance boost for the 99.6% of users who have never used the feature with any of the options.
This kind of reasoning makes me think that "highly experienced Firefox engineers" have lost the plot and don't know what they are doing as there are several problems with the statement above:
-
The majority of performance gains in FF comes from blocking advertising/spying/tracking/etc garbage, including scripts and third party fonts/images. In practical terms that means installing NoScript, UBO and maybe something else. The 10ms performance gain you get per page load by removing third party image check functionality isn't going to be noticed by many, if any.
-
You contradict yourself: If removing native content blocking has "great technical advantages" then why did you leave the "Block all images" option? The percentage of FF users who are blocking all images has to be very very small. You could've removed the
ImageBlockerclass completely and improve performance even more, if you really believe what you wrote. -
This was an old FF feature, it was in FF for 15+ years and it was never a performance problem all that time while PCs were less powerful back then. Why did it become a performance problem now, all of a sudden? Makes no sense.
Further, a lot of content on the web nowadays is hosted from a variety of sources such as CDNs. I'm not sure how you deal with the resulting breakage, do you just flip the pref on and off?
Just because some site loads some stuff from CDNs doesn't mean I have to visit it or that I care to see what they load from CDNs. In those (relatively rare) cases when I do care I flip the pref. I have the pref page tab pinned for that purpose and the pref name already prefilled. It takes about three clicks to flip it. There used to be a small addon a while back that did this even quicker but changes FF implemented killed it, along with a bunch of other addons.
I would strongly advise you to use uMatrix which
I tried it a while back, it's just too heavyweight for my needs and not particularly intuitive to use. I'm trying to keep the number of addons I install to a minimum.
There was a time when I was looking forward to FF releases. For the last seven years or so, I've been meeting every FF release with dread: What are they going to screw up this time? What "improvements" are they going to put in that I would need to disable? FF has gotten worse over the years, in my view, not better and your handling of this bugs indicates to me that it likely won't get better in the future either. Good luck.
|
||
Updated•4 years ago
|
Description
•