Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable the prefetch-privacy-changes flag by default #8319

Closed
Peacock365 opened this issue Feb 19, 2020 · 7 comments · Fixed by brave/brave-core#5731
Closed

Enable the prefetch-privacy-changes flag by default #8319

Peacock365 opened this issue Feb 19, 2020 · 7 comments · Fixed by brave/brave-core#5731

Comments

@Peacock365
Copy link

Peacock365 commented Feb 19, 2020

Description

The Brave flags "Reduce default 'referer' header granularity." and "Prefetch request properties are updated to be privacy-preserving" should be enabled by default, in order to improve the default privacy of Brave users. No website breakage is expected here, no performance degradation is expected here. I have visited several major websites so far with both of these settings enabled (Facebook, Google, YouTube, eBay, Twitter, Amazon, Instagram - you name it), and the websites do behave normally. Please consider enabling these settings by default.

Steps to Reproduce

1. Go to chrome://flags/#reduced-referrer-granularity
2. Go to chrome://flags/#prefetch-privacy-changes

Actual result:

The settings are disabled by default.

Expected result:

The settings should be enabled by default.

Reproduces how often:

Easily reproduced.

Brave version (brave://version info)

Brave | 1.3.115 Chromium: 80.0.3987.87 (Official Build) (64-bit)
Revision | 449cb163497b70dbf98d389f54e38e85d4c59b43-refs/branch-heads/3987@{#801}
OS | macOS Version 10.15.3 (Build 19D76)

(Reproducible on other OSes as well, though.)

Version/Channel Information:

Does this issue happen on any other channels? Or is it specific to a certain channel?

I use the release channel, but it can be reproduced on all channels.

Other Additional Information:

Is the issue reproducible on the latest version of Chrome?

Yes.

Miscellaneous Information:

Is there any good reason why those settings are disabled by default as it stands? Anything I am unaware of?

@bsclifton
Copy link
Member

cc: @snyderp @tomlowenthal

@pes10k
Copy link
Contributor

pes10k commented Feb 19, 2020

I think we already do this, but just w/o using the code paths Chrome uses. We aught to just remove the flags.

@tildelowengrimm
Copy link
Contributor

Removing the flags is another thing that we need to maintain on rebases, so if they're redundant, ley's just ignore them. I'm personally not sure what either of the flags do. François says that the referer one is less protective than our Shields default, and Chrome is going to enable it by default if their tests pan out, so that one's easy to ignore. Looks like #prefetch-privacy-changes is pretty good. No reason not to enable it IMO? Is it redundant with some other protection?

@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Feb 19, 2020
@Peacock365 Peacock365 changed the title Same Brave flags related to privacy could / should be changed. Some Brave flags related to privacy could / should be changed. Feb 19, 2020
@tildelowengrimm tildelowengrimm added the needs-more-info The report requires more detail before we can decide what to do with this issue. label Feb 24, 2020
@fmarier
Copy link
Member

fmarier commented Jun 2, 2020

The referrer flag will be enabled as part of fixing #8696. Let's keep this issue open for the prefetch flag:
Capture d’écran du 2020-06-01 21-20-46

@fmarier fmarier removed the needs-more-info The report requires more detail before we can decide what to do with this issue. label Jun 2, 2020
@fmarier fmarier self-assigned this Jun 2, 2020
@fmarier fmarier changed the title Some Brave flags related to privacy could / should be changed. Enable the prefetch-privacy-changes flag by default Jun 2, 2020
@fmarier
Copy link
Member

fmarier commented Jun 3, 2020

Here is more information about this flag:

and the risks identified by the Chromium team:

The compatibility risk is mostly low, but not completely clear. Changing the credentials mode for prefetch requests may cause more cache-misses and therefore double-downloads, however could also introduce a correctness problem if prefetch responses do not have the Vary: Cookie header attached when their content actually relies on credentials. In this case, it is possible that a user can navigate (with credentials) to a resource, and the user will be served the uncredentialed response from the HTTP cache. We don’t expect the changes to service-workers mode, referrer policy, and redirect mode to break existing content. It is likely they will cause more cache-misses and double-downloads though.

fmarier added a commit to fmarier/brave-testing that referenced this issue Jun 4, 2020
fmarier added a commit to fmarier/brave-testing that referenced this issue Jun 4, 2020
@fmarier fmarier added the QA/Yes label Jun 4, 2020
@fmarier fmarier added this to the 1.12.x - Nightly milestone Jun 4, 2020
@LaurenWags
Copy link
Member

LaurenWags commented Jul 17, 2020

Verified passed with

Brave | 1.12.92 Chromium: 84.0.4147.89 (Official Build) dev (64-bit)
-- | --
Revision | 19abfe7bcba9318a0b2a6bc6634a67fc834aa592-refs/branch-heads/4147@{#852}
OS | macOS Version 10.14.6 (Build 18G3020)

Screen Shot 2020-07-17 at 2 15 45 PM

Screen Shot 2020-07-17 at 2 16 05 PM


Verification passed on


Brave | 1.12.94 Chromium: 84.0.4147.89 (Official Build) dev (64-bit)
-- | --
Revision | 19abfe7bcba9318a0b2a6bc6634a67fc834aa592-refs/branch-heads/4147@{#852}
OS | Windows 10 OS Version 1903 (Build 18362.959)


image


Verification passed on

Brave 1.12.99 Chromium: 84.0.4147.89 (Official Build) dev (64-bit)
Revision 19abfe7bcba9318a0b2a6bc6634a67fc834aa592-refs/branch-heads/4147@{#852}
OS Ubuntu 18.04 LTS

@srirambv
Copy link
Contributor

Verification passed on OnePlus 6T with Android 10 running 1.12.111 x64 build


Verification passed on OnePlus 6T with Android 10 running 1.12.111 x64 build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants