[Chrome] "Change your privacy-related settings" permission required #1424
Comments
|
+1 |
1 similar comment
|
+1 |
|
@jwalton Essentially what you are asking is for uBlock to lie to users. Users expect uBlock to block network requests, not just data transfer, and as it currently is, Prefetch is turned on by default, which means users would leak their IP address when using uBlock, while they rightfully expect that it is not the case. |
|
As a user, I want ublock to block ads. I, personally, don't really care about leaking my IP address, and I'd rather have the performance benefits of prefetching; this is a trade off I'm willing to make. I'd be happy if ublock popped up a warning telling me that this setting was turned on, and I'd get better privacy if I turned it off, but I'm not happy with ublock forcing this setting to a value I don't want. I'm also not really comfortable allowing a third party plugin access to change my privacy settings - here uBlock is making a change which improves my privacy, but I have no guarantees that future versions of uBlock won't change things in a way that negatively affect my privacy. |
uBlock is for those who care, and pre-fetching actually does add pointless overhead when the network requests are blocked, which occurs a lot with a blocker: a connection is created and established for data transfer which won't occur for blocked network requests. It's more efficient to prevent the connection to be created in the first place. Any other approach is for placebo blockers. |
|
... And for those of us who care about the half of my comment you didn't
|
|
If Chroming's way of prefetching is messing with your privacy, it's better to question the browser you use instead of the tools you use to keep it from doing so. |
That's true for all extensions/addons. It's why when it comes to trust, track record is what matters. Edit: I know other blockers which do not require the Privacy permission, and yet send they themselves your browsing history. You have to look beyond the surface. uBlock, being first to serve users' interests, can actually disclose what other extensions do by giving you access to behind the scene network requests. |
|
Ironically, the reason I use uBlock is because it makes browsing faster. If this project is going to be more privacy oriented (to the point where I'm not allowed to configure things) then I'll need to fork it and make my own. I do not want to do this. I maintain another complicated Chrome extension (Batarang) and it's happened before. No one ends up happy. I'd be delighted to open a PR to allow the user to choose their own option. uBlock doesn't need to lie to users if it sets a default and then lets the user configure. |
|
I've setup a poll to see what the user base thinks as a whole. It's much appreciated if you can fill out the poll. |
You are confusing connection with request. Prefetching did not allow requests to be made without uBlock blocking them, it allowed a connection to be established, which connection would then be used to send the request if ever it wasn't blocked by uBlock. Establishing a connection is enough for a remote server to see your IP address, nothing else though. That doesn't seem much, but for a blocker it is important, as this violate users' expectation that the remote server doesn't even get to know they exist at all. |
|
@chrisaljoudi I think 2 more options could be added to the poll: "Allow the user to easily toggle the preference via the uBlock UI, with a default of Enabled" and "Allow the user to easily toggle the preference via the uBlock UI, with a default of Disabled". |
|
What's the status of this issue in regards to Firefox prefectching (as opposed to Chrome)? |
|
@gorhill thanks — fixed. |
|
What does "Prefetch resources to load pages more quickly". do, that he wants the plugin to automatically disable it? is it bad? I have it on, but never had any trouble with it, neither do ads show up with it on. |
|
It's a perceptual performance optimization. When you load a web page, Chrome might start following links on that page and loading them in the background, before you've actually clicked on anything. Let's say you search for "Dinosaur movies" on google; Chrome might decide to pre-load the first search result before you actually click on it, since you're probably going to click on it, and this way when you do eventually click on it, it will seem like it loaded faster. |
|
Go to https://www.browserleaks.com/whois: except for |
|
So it basically loads the ads as well right? but to be honest I never get to even see the ads. |
|
@dragons4life Correct. At issue here is speed vs. privacy. When uBlock disables this feature, your IP is not leaked to other parties. However, things go slower. Not everyone uses an adblocker for privacy - quite a few of us use it to speed up browsing (giant flash ads don't contribute towards making things go zoom). |
Unlikely, what really slows down browsers nowadays is all the crap sites serve, and this is taken care by uBlock. To say prefetching speed up things in the context of a efficient blocker is such an unsupported claim. Of course, without a blocker this may make a difference, but the real solution for slow pages is to cut the crap, a feature the browser itself won't ever support, so they use these fancy features as a crutch. That prefetching feature in the context of uBlock is overhyped. Hard data is what is needed. |
|
edit: nvm |
|
Well... I really thought it was only about the connection itself, but as per Google, it's worst:
In my testing I didn't see any resource downloaded, but then I may have not tested enough web sites, or maybe Chromium doesn't go that far. So this would make prefetching an even bigger concern than I expected. |
|
It's worth noting that there are a slew of negative reviews after this change: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm/reviews?hl=en Again, I'd rather not see this extension become a nanny state over my privacy controls. Preload is incredibly useful for aggregators like HN where there may be 1-2 sec latency. |
I see this as a long term project. My decision will be proven right in the long term. People knee jerking without fully understanding what really went on is not a good reason for me to weaken good privacy habits. There will be a setting next version to re-enable it if you want, but prefetching will always be disabled by default, for all the reasons invoked. My track record is that of not compromising users' interests for the benefits of data miners etc., and disabling prefetching is consistent with this. |
|
If Google's support documentation is correct (per gorhill's quote of Google's support site above), that's a seriously nasty feature that IMHO should be disabled everywhere. Personally, I never use Chrome because I don't trust Google to not make such horrible decisions for their subjects... er, I mean "customers". |
|
'network.predictor.enabled' does something similar in firefox, which is a real privacy killer. Maybe these settings should be ported to uMatrix too, as these connections are not blocked by default when this pref is on (default). Request Policy Continued are also considering adding this Add a on/off switch for Firefox Network Prediction in preferences #638 |
|
@Radagast AFAIK, the 'network.predictor.enabled' feature in Firefox does not have the potential cookies issue that Google tells us that their Chrome browser has (see https://support.google.com/chrome/answer/1385029). To clarify, is there any reason to believe the Firefox predictor system has the same issues regarding cookies (with or without uBlock)? @gorhill In Firefox, do uBlock Origin and uBlock block requests made by the 'predictor' engine? |
|
@Gitoffthelawn As far as I'm aware, cookies are not set as they are in Chrome but connections to potentially undesirable sites, like social networks, are made when mousing over a button from these places. Firefox also has - 'network.prefetch-next' and 'network.dns.disablePrefetch', which also use bandwidth and may violate privacy. Personally, I have all of these disabled in my user.js but that's not for everyone. |
|
|
Firefox's Link prefetching FAQ:
|
|
@jwalton Actually, in addition to causing potentially unwanted connections - DNS prefetching in browsers - dns prefetching can cause dns leaks, which is not ideal for preserving privacy and why it's disabled in tor. Also with email clients, for example thunderbird, it can be used to check message receipt by using embedded urls to different domains. |
|
Prefetching must send cookies for it to be a useful feature. If the prefetched page has authentication that is maintained by a session cookie, prefetching without the cookies would likely result in wasted requests. The result of the user actually navigating to the prefetched page and sending his or her cookies in the request like normal might result in different content. The browser would have to re-request the page on navigation to ensure the content matches pre- and post-cookies, which negates any benefit of having prefetched. |
|
Important update: I'm not sure how I (and others) forgot to mention this, but uBlock doesn't actually implement the feature yet. uBlock Origin does, but uBlock does not yet. Depending on the poll results and the team's discretion, it may or may not be implemented in a future release. As of the latest uBlock version (0.9.5.0) it doesn't ask for such permissions. This is a uBlock Origin issue, not a uBlock issue. |
|
What's the difference between uBlock and uBlock Origin? |
|
@jwalton Check out https://www.ublock.org/faq/ Don't hesitate to let me know if you have any other questions! |
|
@chrisaljoudi Good to know. :) Thanks. |
I've read the why, but if I want this setting unchecked, I can uncheck it myself.
The text was updated successfully, but these errors were encountered: