-
Notifications
You must be signed in to change notification settings - Fork 793
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privacy-related: Consider enabling these two Chromium flags by default. #1117
Comments
you might also want to make an issue on the android version too :) https://git.droidware.info/wchen342/ungoogled-chromium-android |
Changes applied here will automatically be applied to Android version, so no need for a separate issue. |
Why must we enable these two flags ourselves? If they're that impactful, why hasn't the Chromium team enabled them by default already? I understand the privacy motivation for enabling these flags, but I'm having troubles seeing the impact on stability and retaining the default Chromium experience (however granular the experience can get). Any clarifications will be appreciated. |
OK, so this is what the Chromium team has to say regarding chrome://flags/#prefetch-privacy-changes: "The compatibility risk is mostly low, but not completely clear. Changing the credentials mode for prefetch requests may cause more cache-misses and therefore double-downloads, however could also introduce a correctness problem if prefetch responses do not have the source: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/bSMOY-evrV4 As I have mentioned in the issue I've opened in the Brave repo, I have used the following websites with no compatibility issues:
I realize that this is no scientific test or something, but it goes to show that there really is not a problem with enabling this flag by default. Brave did, and so did Bromite recently, and there are no reports of related issues yet. As for chrome://flags/#reduced-referrer-granularity, its effect is documented here: Seems like a sane referrer header policy to me. The Chromium team is currently testing these changes, evaluating whether or not they can be enabled by default. But as said, I have had no issues with both of these flags set to "Enabled". |
Seems like it'll start being enabled in 85 and onward: https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default Thanks for explaining. I agree that the impact is low for these flags, so I'll enable them. |
Please consider enabling chrome://flags/#reduced-referrer-granularity and chrome://flags/#prefetch-privacy-changes by default. The former is purely privacy-related, I don't know if you are already doing something similar. The latter prevents data leakage as described here:
https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html
Here is the "Intent to implement" in Chromium:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/bSMOY-evrV4
I have raised the same issue in the Brave browser repo, with the result that the flags got enabled by default:
brave/brave-browser#8319
I have also raised this in the Vanadium repo, still under review:
GrapheneOS/Vanadium#71
Thank you for your attention.
The text was updated successfully, but these errors were encountered: