Intent to prototype: ETP strict mode shims for content-blocked resources
Skip to first unread message
Aug 20, 2020, 5:05:12 PM8/20/20
Reply to author
Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Report message as abuse
Sign in to report message as abuse
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
ETP strict mode performs content-blocking, which can cause
breakage on many sites ranging from features like Facebook's
federated logins not working, to sites not being able to load
at all. This currently occurs in private browsing mode, and/or
if the user has enabled the option in Firefox preferences.
Shims serve as stand-ins for specific blocked resources,
mimicking them well enough to un-break webpages. They additionally
allow users to opt into loading the original blocked resource, on
a per-resource and per-TLD basis, to allow users to (for instance)
log into a specific site with Facebook by just clicking on the
usual login button to open the related login popup, without
having to take extra actions to allow the Facebook script and
refreshing the page.
This way users pick and choose which resources are allowed
on which sites, to minimize what is actually allowed through ETP
content blocking. Shims are shipped as part of the pre-existing
webcompat system/built-in addon (not hosted remotely).
None. The same basic concept is being used by DuckDuckGo's privacy
extension as well as uBlock Origin, using the name "surrogates",
but without the user opt-in concept.
- Desktop nightly in 81, riding to release for 82.
- Android TBD (but currently aiming for the same schedule).
List of shims initially enabled:
- Allow federated logins with Facebook and Rambler
- Fix basic site breakage related to:
- Ads by Google
- Ad Safe Protected's Google IMA adapter
- BmAuth by 9c9media
- Eluminate (coremetrics.com)
- Google Analytics (and its Tag Manager and e-commerce plugins)
- Google IMA3
- Google Publisher Tags
- Rich Relevance
extensions.webcompat.enable_shims = true|false
Individual shims may also be disabled, for instance:
extensions.webcompat.disabled_shims.FacebookSDK = true
None. A message will be logged to the web console for each shim
which is active on a given page, linking to their related
None by default to my knowledge. but as mentioned, DuckDuckGo
browser's privacy extension has a similar "surrogates" feature,
as does uBlock Origin.
Mochitests are provided for test-coverage, as this is not
presently a standards-track feature, and requires tests for a
Security & Privacy Concerns:
Users may opt into allowing otherwise-blocked resources, as
desired. This will of course thwart content-blocking, so to
limit the risk the user will need to opt in on a per-TLD basis,
and the web API exposed by shims (to match the original scripts
being shimmed) is limited to only being allow to specific
resources through ETP content-blocking on a case-by-case basis,
and only if they intend to allow user opt-ins in the first place.