Intent to prototype: ETP strict mode shims for content-blocked resources

Skip to first unread message

Thomas Wisniewski

Aug 20, 2020, 5:05:12 PM8/20/20
ETP strict mode performs content-blocking, which can cause
breakage on many sites ranging from features like Facebook's
federated logins not working, to sites not being able to load
at all. This currently occurs in private browsing mode, and/or
if the user has enabled the option in Firefox preferences.
Shims serve as stand-ins for specific blocked resources,
mimicking them well enough to un-break webpages. They additionally
allow users to opt into loading the original blocked resource, on
a per-resource and per-TLD basis, to allow users to (for instance)
log into a specific site with Facebook by just clicking on the
usual login button to open the related login popup, without
having to take extra actions to allow the Facebook script and
refreshing the page.
This way users pick and choose which resources are allowed
on which sites, to minimize what is actually allowed through ETP
content blocking. Shims are shipped as part of the pre-existing
webcompat system/built-in addon (not hosted remotely).


None. The same basic concept is being used by DuckDuckGo's privacy
extension as well as uBlock Origin, using the name "surrogates",
but without the user opt-in concept.

Platform coverage:
- Desktop nightly in 81, riding to release for 82.
- Android TBD (but currently aiming for the same schedule).

List of shims initially enabled:
- Allow federated logins with Facebook and Rambler
- Fix basic site breakage related to:
- Ads by Google
- Ad Safe Protected's Google IMA adapter
- BmAuth by 9c9media
- Eluminate (
- Google Analytics (and its Tag Manager and e-commerce plugins)
- Google IMA3
- Google Publisher Tags
- Rich Relevance

extensions.webcompat.enable_shims = true|false
Individual shims may also be disabled, for instance:
extensions.webcompat.disabled_shims.FacebookSDK = true

DevTools bug:
None. A message will be logged to the web console for each shim
which is active on a given page, linking to their related
Bugzilla bug.

Other browsers:
None by default to my knowledge. but as mentioned, DuckDuckGo
browser's privacy extension has a similar "surrogates" feature,
as does uBlock Origin.

Test coverage:
Mochitests are provided for test-coverage, as this is not
presently a standards-track feature, and requires tests for a
system/built-in addon.

Security & Privacy Concerns:
Users may opt into allowing otherwise-blocked resources, as
desired. This will of course thwart content-blocking, so to
limit the risk the user will need to opt in on a per-TLD basis,
and the web API exposed by shims (to match the original scripts
being shimmed) is limited to only being allow to specific
resources through ETP content-blocking on a case-by-case basis,
and only if they intend to allow user opt-ins in the first place.
Reply all
Reply to author
0 new messages