Closed Bug 1908470 Opened 1 year ago Closed 1 year ago

Privacy-Preserving Attribution API enabled/disabled detectable

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- fixed

People

(Reporter: sertonix, Assigned: cbguder)

References

(Blocks 1 open bug)

Details

(Keywords: privacy, Whiteboard: [ads-eng])

Attachments

(1 file)

Bug 1908470 - Make it harder to detect when PPA is disabled r=bgrins
48 bytes, text/x-phabricator-request
Details | Review

As far as I know it should not be detectable by a webpage if Privacy-Preserving Attribution is enabled or not (https://github.com/mozilla/explainers/issues/11#issuecomment-2228913120).

It is currently possible to detect that in js though. When PPA is disabled the argument checking is skipped. This can be used to detect whenever PPA is enabled or not by providing an invalid argument (eg. target: "~") and checking if the function errors.

try {
  navigator.privateAttribution.saveImpression({ type: "view", index: 6, ad: "shoes", target: "~" });
} catch (e) {
  if (e instanceof DOMException)
    console.log("PPA enabled!")
}

It would be better to check if PPA is enabled after the arguments were checked.

Blocks: ppa-experiment

Thanks for filing, I can confirm the bug

Status: UNCONFIRMED → NEW
status-firefox128: --- → affected
status-firefox129: --- → affected
status-firefox130: --- → affected
Ever confirmed: true

Yeah that's an oversight on my end, nice catch! Should be a matter of moving the StaticPrefs checks added in https://hg.mozilla.org/mozilla-central/rev/75c2741fec927132a09d1b380e5bf1680069daa2 further below (just before the XRE_IsParentProcess() checks).

Don't think the fix will need uplifting since the API is only exposed through an OT

status-firefox128: affectedwontfix
status-firefox129: affectedwontfix

Make sure to watch out for a timing side-channel as well when fixing this!

Whiteboard: [ads-eng]
Severity: -- → S3
Keywords: privacy
Assignee: nobody → cbguder
Status: NEW → ASSIGNED

The privateAttribution API returns early when the user has disabled
Privacy Preserving Attribution. This makes it possible to detect this
condition by passing in an invalid target domain and observing whether
the API raises an exception.

This moves the user preference checks to happen after input validation,
so that input validation happens (and an exception is thrown) even when
PPA is disabled.

Note that it might still be possible to detect whether PPA is enabled by
observing the timing of calls.

Pushed by gleonard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e8ca6c27ae5b Make it harder to detect when PPA is disabled r=emilio

https://hg.mozilla.org/mozilla-central/rev/e8ca6c27ae5b

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox130: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: