Open Bug 1861889 Opened 7 months ago Updated 4 months ago

chrome.privacy.network.networkPredictionEnabled API no longer prevents preconnecting

Categories

(WebExtensions :: Compatibility, defect, P2)

Product:
WebExtensions
Component:
Compatibility
Version:
Firefox 121
Type:
defect

Tracking

(firefox-esr115 affected, firefox119 wontfix, firefox120 affected, firefox121 affected)

Tracking Flags:
Tracking Status
firefox-esr115 --- affected
firefox119 --- wontfix
firefox120 --- affected
firefox121 --- affected

People

(Reporter: gwarser, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0

Steps to reproduce:

User noticed that despite using uBlock Origin, DNS requests are made, visible in NextDNS logs: https://github.com/uBlockOrigin/uBlock-issues/issues/2913

STR:

  • with uBlock Origin installed which should block Google tracking connections and disable prefetching/preconnection by default
  • go to https://my.nextdns.io/
  • copy the DOH server addres and add it in about:preferences secure DNS max protection setting
  • Open a tab to about:networking#dns
  • Click "Clear DNS Cache"
  • Click "Refresh" to be sure
  • open https://twitterdownloader.co/ tab
  • https://my.nextdns.io/.../logs shows DNS requests for google-analytics.com and googlesyndication.com

This is regression:

app_name: firefox
build_date: 2023-04-18 18:09:57.629000
build_file: /home/rdk/.mozilla/mozregression/persist/0cae6ecbc398-pgo--autoland--target.tar.bz2
build_type: integration
build_url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/L6z0NMXPRWiJ0H_bHyJZjw/runs/0/artifacts/public%2Fbuild%2Ftarget.tar.bz2
changeset: 0cae6ecbc3984ca8f45c8ae5a0bec250392a22c1
pushlog_url: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0cae6ecbc3984ca8f45c8ae5a0bec250392a22c1&tochange=3155d983a779ff98645129c066353f3204786f4c
repo_name: autoland
repo_url: https://hg.mozilla.org/integration/autoland
task_id: L6z0NMXPRWiJ0H_bHyJZjw

https://bugzilla.mozilla.org/show_bug.cgi?id=1813618
Notable discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1854782

Also, if you follow these steps:

  • Go to about:config, filter using preconnect
  • Toggle network.preconnect to false
  • Repeat above STR

No DNS requests to google-analytics.com and googlesyndication.com will be logged in NextDNS.

Actual results:

https://my.nextdns.io/.../logs shows DNS requests for google-analytics.com and googlesyndication.com.

Expected results:

Requests to resolve these domains should not happen.

Has STR: --- → yes
Keywords: regression
Regressed by: 1813618

I believe, the API was initially implemented here https://bugzilla.mozilla.org/show_bug.cgi?id=1312802

:keeler, since you are the author of the regressor, bug 1813618, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(dkeeler)

Relevant API calls from uBlock Origin seems to be at https://github.com/gorhill/uBlock/blob/bc632b546464b6fdfbb25d34097b4fe8ae7da8fc/platform/common/vapi-background.js#L136-L217

  • network.networkPredictionEnabled in the privacy namespace maps to network.networkPredictionEnabled pref.

If fixing bug 1813618 caused this behavior, it probably means there was an issue with the original implementation of chrome.privacy (before fixing bug 1813618, preconnect was always disabled).

Flags: needinfo?(dkeeler) → needinfo?(bob.silverberg)
See Also: → 1854782

Hello,

I reproduced the issue on the latest Nightly (121.0a1/20231030164930), Beta (120.0b4/20231030091620) and Release (119.0/20231019122658) under Windows 10 x64 and Ubuntu 22.04 LTS.

Performing the STR will show DNS requests for google-analytics.com and googlesyndication.com in https://my.nextdns.io/.../logs as per Comment 0.
Performing the alternate STR (where network.preconnect is false) will not show DNS requests to google-analytics.com and googlesyndication.com in NextDNS.

Status: UNCONFIRMED → NEW
status-firefox119: --- → affected
status-firefox120: --- → affected
status-firefox121: --- → affected
Ever confirmed: true

Based on the regressor tracking data, 115 (ESR) is also affected.

Set release status flags based on info from the regressing bug 1813618

status-firefox-esr115: --- → affected

I think that it would make sense to disable all preconnect-like functionality whenever the browser.privacy.network.networkPredictionEnabled extension API is set to false.

Flags: needinfo?(bob.silverberg) → needinfo?(rob)
Summary: chrome.privacy API no longer prevents preconnecting → chrome.privacy.network.networkPredictionEnabled API no longer prevents preconnecting
Keywords: regression
No longer regressed by: 1813618

Why did you remove the regression tag? Bug 1813618 was identified as the regressor through mozregression.

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #4)

If fixing bug 1813618 caused this behavior, it probably means there was an issue with the original implementation of chrome.privacy (before fixing bug 1813618, preconnect was always disabled).

The extension API is used to force-disable preconnect. If the feature was always disabled, then that implies that the extension API works as desired, trivially. Preconnect is an optional feature, so it not working would not be a bug.

However, preconnecting despite having set the setting to false would be a bug, at least from the perspective of a privacy-conscious extension user.

This error does not only apply to ublock/preconnect.

For example, on rt.pornhub.com firefox in the tracking protection status panel reports that static.trafficjunky.com is blocked, but it is not.

On www.pvsm.ru also www.acint.net is not blocked.

The solution to the problem is to disable the DoH.

Strange, disabling DoH only solves the problem on www.pvsm.ru

I'm sorry, it looks like DoH had nothing to do with it.
The problem should be solved in the built-in Tracking Protection, and then deal with uBlock Origin.

I think I got it:

network.predictor.enabled = false
OS Resolver - www.acint.net blocked
DoH - www.acint.net does not blocked

network.predictor.enabled = true
OS Resolver and DoH - built-in Tracking Protection doesn't block a trackers, simply put it doesn't work.

DoH - www.acint.net does not blocked

DoH has no effect on this, it's just that for some reason the domain is not blocked in standard ETP mode.

network.predictor.enabled = true
on www.pvsm.ru - mc.yandex.ru is not blocked in strict mode.

network.predictor.enabled = true
on www.pvsm.ru - mc.yandex.ru is not blocked in strict mode.

I don't know if it has anything to do with this bug.
To block it, have to:
network.predictor.enabled = false
urlclassifier.trackingTable.testEntries = yandex.ru

I needinfo'd myself with the intent to get to a resolution quicker. I did however not get to this because of the sheer amount of work I have, so I will instead mark this bug with P2 so it can be triaged and scheduled as part of the regular planning in the team.

(In reply to Rob Wu [:robwu] from comment #8)

I think that it would make sense to disable all preconnect-like functionality whenever the browser.privacy.network.networkPredictionEnabled extension API is set to false.

If there are preferences connected to the feature here, we should also set them when an extension sets networkPredictionEnabled to false.

Severity: -- → S3
Flags: needinfo?(rob)
Priority: -- → P2

(In reply to Rob Wu [:robwu] from comment #19)

I needinfo'd myself with the intent to get to a resolution quicker.

I tested v113, it doesn't have the predictor/preconnect issues described above.

You need to log in before you can comment on or make changes to this bug.