-
-
Notifications
You must be signed in to change notification settings - Fork 346
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set enable_reporting to false #995
Conversation
Added `ungoogled-chromium-Fix-building-without-enabling-reporting.patch` to fix build issues. See the following PR for more details: ungoogled-software/ungoogled-chromium#1416
Nice finding, but what is the impact of |
It was enabled in v83 because of COEP: https://bugs.chromium.org/p/chromium/issues/detail?id=887967 |
@csagan5 I thought it was just an oversight setting it to true. I'll dig into the linked Chromium issue and report back in the next few hours. Setting Regardless, I'll report back after I review. |
From what I read COEP reporting and the policy itself are two separate things? I had a look at the navigation and render host part and there is nothing hidden behind the reporting flag. |
@csagan5 isn't the point of these lines bromite/build/patches/ungoogled-chromium-Fix-building-without-enabling-reporting.patch Lines 1 to 24 in 9824847
enable_reporting being true?
@Ahrotahn explains why the other changes are needed in this comment ungoogled-software/ungoogled-chromium#1416 (comment). I haven't had any issues today after building v89 with |
Yes; but as far as I know no reporting of any other type is happening right now; it would be nice to confirm/deny that.
Yes, but for all changes we need to have a reason to make them and then document it. |
Any suggestions on a reliable way to profile and test requests?
I'll be the first to admit I have very limited knowledge of Chromium's net architecture -- hopefully someone more familiar can chime in on whether Feel free to close this or keep it open until we have more context to make an informed decision. |
None other than Wireshark; see also #471 By following the code it should be possible to understand what reporting does (or not). |
ah, I didn't notice, thanks @csagan5 |
I got there by checking something else, but here it is explained:
can this be enough? |
(3) is the most important aspect here |
forget it, a more careful check allowed me to understand that cookies are NOT active. regarding the other points, personally I think that any request not authorized by the user should never be made. |
I still do not have a resolution for the other questions (2,4)
The requests are sent to the same site the user is visiting, not a third-party. What are the conditions under which these requests are sent? |
should it be verified or are you sure?
the documentation and code must be studied and the test cases verified, it can be a long thing. |
I am sure; it must be the same domain; feel free to double-check!
Sure; but it is supposedly a feature for the protection of users (in case they are under MiTM or similar security problems), at the moment I am not sure how it can be abused against users. |
ok, i'll check. |
Related #985, where we enabled |
https://w3c.github.io/reporting/#disable so, there should be a flag that deactivates it, but there isn't |
Since adding a |
@csagan5 should I update this PR with the latest patch that's located at https://github.com/Eloston/ungoogled-chromium/blob/a9eb6fd87445465a2e1881f7fc6e718fd17db606/patches/core/ungoogled-chromium/fix-building-without-enabling-reporting.patch? |
why you say that?
I don't know, the alternative would be put a flag and act only on https://source.chromium.org/chromium/chromium/src/+/master:services/network/network_context.cc;l=2241;drc=70365c5dbd0628df048dcc4e81740b3932411574 however the code must be checked. |
I came up with another idea. I don't know if you are aware of traffic annotator script, (i think the result). the idea could be to create an ui that allows the user to select which ones he wants to activate. also theoretically it would also be possible to act in DefineNetworkTrafficAnnotation(), by modifying the call in such a way that the compiler communicates new annotators to us going into error. about the implementation, I don't think it's impossible, a bit 'of doubts about what to return in case it is blocked, because I would not want there were infinite retries, but just check. |
I say that because it is currently a build flag, just assuming that it would be complicated at runtime. But if we have already covered similar complexity/functionality and you think we can have it as a flag it would be better.
I know about traffic annotations but I have never checked the scripts used during tests for them.
Before doing this we should survey what are the traffic annotations and if there is an use-case for enabling/disabling some. If not, this would not be necessary. As for the error: the one returned when ad-blocking is also fine.
The domain substitution patch changes strings, which end up in multiple places. Even when they end up in URLs being loaded, they are not always via
For this specific PR #995 I suggest a flag, for the traffic annotations we can study it separately in a new issue.
@nikolowry if we go with the flag then the reporting code would be always compiled but disabled at runtime, so I suggest to hold on that for now. |
I am going to try building with |
I'll do the same tonight and update the patch in the PR. Feel free to cool if you beat me to it @csagan5 |
@nikolowry not necessary, I was already going to merge the PR after verifying that it does not introduce bugs. |
In v94 there is now a feature flag that basically achieves this: chromium/chromium@329e4bb Perhaps we could stick to that feature flag alone instead of the patch; @nikolowry @uazo feel free to investigate. |
@csagan5 there's been two commits targeted for v94 in Ungoogled's
Maybe the commit author, @Ahrotahn, could weigh in with their thoughts? |
no, it does not seem I also checked the current master and the flag still does just that. |
That was my understanding as well, but I haven't looked into it since that update. It seemed like they were still adding more changes at the time. Those changes to the reporting patch were made because |
Yes, they forgot to gate the
Ok, then we still need this patch. |
enable_reporting
has been enabled since v83.0.4103.46, 65bd5c1.This PR sets it back to false and adds
ungoogled-chromium-Fix-building-without-enabling-reporting.patch
to fix build issues. See ungoogled-software/ungoogled-chromium#1416 for more details.