Intent to prototype: ETP strict mode shims for content-blocked resources

145 views
Skip to first unread message

Thomas Wisniewski

unread,
Aug 20, 2020, 5:05:12 PM8/20/20
to dev-pl...@lists.mozilla.org
Summary:
ETP strict mode performs content-blocking, which can cause
breakage on many sites ranging from features like Facebook's
federated logins not working, to sites not being able to load
at all. This currently occurs in private browsing mode, and/or
if the user has enabled the option in Firefox preferences.
Shims serve as stand-ins for specific blocked resources,
mimicking them well enough to un-break webpages. They additionally
allow users to opt into loading the original blocked resource, on
a per-resource and per-TLD basis, to allow users to (for instance)
log into a specific site with Facebook by just clicking on the
usual login button to open the related login popup, without
having to take extra actions to allow the Facebook script and
refreshing the page.
This way users pick and choose which resources are allowed
on which sites, to minimize what is actually allowed through ETP
content blocking. Shims are shipped as part of the pre-existing
webcompat system/built-in addon (not hosted remotely).

Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1637329

Standard:
None. The same basic concept is being used by DuckDuckGo's privacy
extension as well as uBlock Origin, using the name "surrogates",
but without the user opt-in concept.

Platform coverage:
- Desktop nightly in 81, riding to release for 82.
- Android TBD (but currently aiming for the same schedule).

List of shims initially enabled:
- Allow federated logins with Facebook and Rambler
- Fix basic site breakage related to:
- Ads by Google
- Ad Safe Protected's Google IMA adapter
- BmAuth by 9c9media
- Eluminate (coremetrics.com)
- Google Analytics (and its Tag Manager and e-commerce plugins)
- Google IMA3
- Google Publisher Tags
- Rich Relevance

Preference:
extensions.webcompat.enable_shims = true|false
Individual shims may also be disabled, for instance:
extensions.webcompat.disabled_shims.FacebookSDK = true

DevTools bug:
None. A message will be logged to the web console for each shim
which is active on a given page, linking to their related
Bugzilla bug.

Other browsers:
None by default to my knowledge. but as mentioned, DuckDuckGo
browser's privacy extension has a similar "surrogates" feature,
as does uBlock Origin.

Test coverage:
Mochitests are provided for test-coverage, as this is not
presently a standards-track feature, and requires tests for a
system/built-in addon.

Security & Privacy Concerns:
Users may opt into allowing otherwise-blocked resources, as
desired. This will of course thwart content-blocking, so to
limit the risk the user will need to opt in on a per-TLD basis,
and the web API exposed by shims (to match the original scripts
being shimmed) is limited to only being allow to specific
resources through ETP content-blocking on a case-by-case basis,
and only if they intend to allow user opt-ins in the first place.
Reply all
Reply to author
Forward
0 new messages