-
Notifications
You must be signed in to change notification settings - Fork 1.1k
When to disable rulesets #7338
Comments
@terrorist96 wrote:
I wrote #7329 (comment)
@terrorist96 wrote #7329 (comment)
|
@terrorist96 Security vs usability is a complex issue. See here for an earlier discussion related to mixed content blocking. We need to strike a balance. It takes technical time to review an issue. Take the AWS issue #4510 . As @J0WI pointed out in #4510 (comment) , that ruleset affects a lot of sites. I can disable the ruleset to fix videos but now I've broken a bunch of other domains like these, so I won't do that. So now I have to figure out what part of the ruleset can safely be disabled, and at this point I'm basically fixing the issue anyway, when your suggestion was just to do something quick and temporary. There is no quick fix for the problem of too many problems, not enough technical people working on them. |
Here's a quote from Hainish in the linked discussion:
And here the functionality is being disrupted. You also argue for erring on the side of usability. However, you wouldn't be breaking a bunch of other domains in the process of disabling the ruleset. You'd only be disabling the forced https; not breaking anything. I think your concern for MCB blocking ads on a site should be overshadowed by rulesets breaking main site functionality (like displaying a video), not ancillary things like advertisements. A site owner not being able to display ads due to MCB is less of a concern than a site owner not being able to serve content, the main function of the site. It seems that most arguments should be in my favor, but the only thing holding it back is the global temporary loss of security on other unrelated sites (notwithstanding the potential permanent loss of security on other unrelated sites via user-disabled rulesets). |
One last thing: if my argument loses, then why are all these default=off rules allowed to stand? They, too, cause broken functionality. But you're also lessening user security. |
By "broken a bunch of other domains" in my last comment, I indeed meant disabling HTTPS coverage, not breaking the intended behavior of the site. Nobody is arguing with you that these issues should be fixed. If HTTPS Everywhere is breaking some video playback, then that's a problem. But, I'm not going to blindly disable rulesets based on the fact that an issue has been open for a while. I'm a volunteer here and can work on what I want. If you want those issues fixed more quickly then you should try fixing them yourself, or find or pay a friend who will fix them for you. |
I just fail to see the consistency. The GoogleVideo ruleset used to be on, but one day it started to break stuff. Instead of the rule being fixed, it was simply turned off since it was causing broken functionality, and that rule affects many sites. |
The general rule we've followed in the past is that we should be liberal in disabling rulesets that break functionality, even if that lessens the security of some valid sites included in a ruleset. When a ruleset is disabled, a user navigating to a host included in that ruleset has the option of manually re-enabling it when they navigate to that host. But that's a functionality they have to know about. I'm willing to bet a good portion of our users, if not most of them, just install HTTPS Everywhere without realizing you can disable and re-enable rulesets manually. For them, they just see a site is broken, and if you disable HTTPS Everywhere, it ceases to be broken. So I think for most sites, it's best to just disable if it's causing an issue. Last year, @jsha ran an automated test which disabled any ruleset which did not pass the fetch test. This disabled a good portion of the total rulesets we have in the addon, but the thinking is that it's better to be functional and give users some security than non-functional and have users uninstall the addon altogether. I agree with @jeremyn that we should verify that a ruleset is actually causing an issue before disabling it. And there are some edge cases as well. If one of the sites in the Bit.ly ruleset is not resolving in DNS, we shouldn't disable the ruleset, which includes 26k hosts. The distinction is that this probably won't actually disrupt site functionality. @terrorist96, if a ruleset maintainer has stated that they don't want to address a specific class of issues, that's okay and you should respect that. For example, someone who doesn't know Chinese may feel that they are ill-equipped to tell if a ruleset disrupts functionality of a |
And that's fine with me. Like I said, I'm not trying to force anyone to do anything here. I'm just trying to understand the reasoning for disabling some rules that break functionality while leaving others enabled. |
In the case of CDNs, disabling these rules can have a dangerous cascading effect due to MCB, so I agree with @jeremyn there that we should not just disable them. We do not know where disabling them will cause problems for other rulesets, and that's hard to predict. So for CDNs, I'd say let's air on the side of caution and keep them enabled, but also try to fix them quickly. |
It's kind of tricky to predict when a site may be used as a source of 3rd party content. For now we are forced to use our best judgement, which can be pretty shoddy in certain circumstances. I know that Google Analytics is used on many sites, but maybe I wouldn't know that Baidu Analytics was something commonly used. So someones perspective is of course locale-dependent, and this is problematic when making judgement calls such as whether to disable a ruleset when you're unsure if that action will cause lateral impact. I'm going to try to track down a tool that may help here. I know OpenWPM is a tool used to gather statistics on the inclusion of 3rd party trackers on first-party sites, but I'm unsure if it's just gathering this data for trackers or all 3rd party resources. There are probably tools out there that can help us, but I'd have to search them out. |
NerdyData seems to be a good tool for this. It's able to search source code on lots of sites: https://nerdydata.com/search?query=fonts.googleapis.com |
Common Crawl might be a great resource for this. It has 250TB+ of web source data: https://commoncrawl.org/ |
Part of the problem is that these CDN rulesets jumble things together when they shouldn't, with little documentation. In other words, they're not good rulesets. Maybe one of these domains is security-critical content, like Android EDIT: And of course, those are just test URLs for a wildcard. There may be URLs covered by the wildcard that are serving security-critical content that we have no idea exist. |
Also, the problem class of broken third party videos can be super annoying to troubleshoot. (None of these examples are meant to criticize any of the people who reported these issues on a personal level, I'm just giving these as examples illustrating how these issues can go.) In In The issue creator sometimes states the problem as just "video won't load" or "video broken" -- what does that mean? A partial list of possibilities is, though I'm not claiming to have personally seen all of these in issues: player doesn't show; player shows but there's an error; player shows, no error, just a spinner that won't go away; player shows an ad but not the video after the ad. I have to inspect a site I'm not familiar with, maybe in a language I don't know, with tons of ads and other content blinking at me, for what "video won't load" might mean. In In People reporting video problems are sometimes not experienced contributors so there can be more interaction than normal, which takes time ( Assuming I can reproduce the problem, these media sites usually have dozens of rules because of ads and trackers, so it might not be obvious which ruleset is causing the problem. The Firefox Web Console can get flooded with messages from the dozens of ad and tracker scripts running, making it difficult to look for the usual I hope this helps explain why it's easy to pass on video problems when there are hundreds of other open things to do. |
Appreciate the explanation. I always try to mention the specific ruleset that causes the problem when making a report. Anything else I can do to help, just ask. For example, I found a deep link to help reproduce/isolate an issue here. :) |
Be also aware that different enabled/disabled rule sets between users are a possible fingerprinting target, although an unlikely one. |
I'm closing this since it's a year-old discussion. |
This is a follow-up to the discussion in #7329
@jeremyn @terrorist96
The text was updated successfully, but these errors were encountered: