New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PrivacyBadger is missing blocking of HTML5 cookieless tracking (ping attributes) #587
Comments
A very good point. Here is a description of it http://www.w3schools.com/TAGs/att_a_ping.asp From: charlesprogrammr [mailto:notifications@github.com] With HTML5 came a new attribute to allow tracking of which links on a page are followed, which means we don't even have to click them. The attribute in question is called the 'ping' attribute, and I don't see anything anywhere that addresses its abilities. PrivacyBadger should strip these attributes from each and every page to stop the use before its use becomes widespread. — |
Seems worth doing, I doubt this would even break anything we care about. |
Thanks, Michael. Thanks, Cooper. |
I checked how ping requests appear in So PB can't know which tab and frame the pings belong to and thinks that they come from an internal tab since they satisfy the Ping requests have Following Chrome bugs should be the root cause: Not sure, what to do about that. |
Hmm interesting. Another option would be to block all ping requests. @gunesacar @michael-oneill how much do you think this would break stuff? |
I doubt if it would break anything the user would care about, though it might stop some data going to the collectors. This is another situation where per-site user consent would work. If DNT header is not 0 in the beacon request, block it. |
With this change PB will block requests from whitelisted tabs until the following Chrome bugs are fixed and landed: https://crbug.com/522124 (landed in dev channel) https://crbug.com/522129
Here are some use cases I ran into: Yet, I agree with @michael-oneill; blocking pings shouldn't break any critical functionality. |
This block-all-the-pings approach only needs to be there until the Chrome bugs are fixed (then we'll know which tab/frame/origin is the initiator). The good news is, one of the Chrome bugs is already fixed and landed in the dev channel. Motivated me to send a PR, but feel free to ignore if you think we better wait or not happy with the following behavior: |
With this change, PB will block requests from whitelisted tabs until the following Chrome bugs are fixed and landed: https://crbug.com/522124 (landed in dev channel) https://crbug.com/522129
With this change, PB will block requests from whitelisted tabs until the following Chrome bugs are fixed and landed: https://crbug.com/522124 (landed in dev channel) https://crbug.com/522129
With HTML5 came a new attribute to allow tracking of which links on a page are followed, which means we don't even have to click them. The attribute in question is called the _'ping' attribute_, and I don't see anything anywhere that addresses its abilities. PrivacyBadger should strip these attributes from each and every page to stop the use before its use becomes widespread.
The text was updated successfully, but these errors were encountered: