Firefox 87 introduces SmartBlock for Private Browsing (opens in new tab)

(blog.mozilla.org)

389 pointselktea5y ago117 comments

117 comments

57 comments · 12 top-level

UI_at_80x245y ago· 15 in thread

Next step (please): block all 1x1 sized images.

The transparent pixel tracking trick is common enough now that it should be blocked by default in all 'Private' modes.

jasode5y ago

>Next step (please): block all 1x1 sized images.

If you're not aware, the HTTP protocol specification[1] doesn't have a technical way of knowing ahead of time if it's a 1x1 tracking pixel.

So the remaining realistic options are:

(1) block ALL <img> tags downloads which then blocks any 1x1 tracking pixels

(2) allow <img> tags but block some (and maybe most but not all) 1x1 pixels via a blacklist of url domains (e.g. doubleclick.net) ... and/or heuristics based on the "style" attribute

The (1) already happens in many email clients that render HTML.

The (2) is happening with the ongoing cat & mouse game with AdBlock, EasyList, etc

[1] https://www.google.com/search?q=http+protocol+request+get+sy...

vlovich1235y ago

Or Firefox could crowdsource the building of a bloom filter of the URLs for images that are 1x1. Or you could learn 1x1 tracking locally since the set of pages you visit will probably be similar if you just want some more general protection.

The bigger problem is that anything like this and the providers go up in size 1px at a time until it’s harder to distinguish from real content (at first transparent, then positioned off-screen, then overlays hiding it, then visible in a part of the page that doesn’t get as many views, dual-purposed with images/ads already on-screen, etc).

A better way is if Firefox just bundled an ad blocker and pushed ad blocking technology forward (eg more hooks to do expensive processing natively to save on power like Safari does). The challenge though is that something like 100% of their funding comes from an ad company.

3 more replies

dekerta5y ago

How about this:

- The browser does not load any images by default. <img> tags are replaced by gray rectangles

- User must click on the placeholder rectangle to load the image

- User can add image URLs to a whitelist so they load by default

4 more replies

eli5y ago

(1) happens in relatively few email clients. Every major client loads images by default except Thunderbird and it is not common.

5 more replies

MozNoz5y ago

https://blog.mozilla.org/security/2021/01/26/supercookie-pro... partitions the image cache by the site being visited.

ape45y ago

Yes the origin of tiny images is more important (and is dealt with now)

metalliqaz5y ago

... and tracking pixels would become 1x2, meanwhile actual 1x1 images used for formatting would stop working

falcolas5y ago

> 1x1 images for formatting

Huh? People still do this? Designers, I swear.

1 more reply

FalconSensei5y ago

> actual 1x1 images used for formatting would stop working

I see that as a feature

kgwxd5y ago

Is that something used on web sites? I've only heard of that in emails. What purpose would that server to a site you're already visiting?

twobitshifter5y ago

Look into Facebook pixel. Your browser is hitting this almost everywhere.

https://blog.hootsuite.com/facebook-pixel/

1 more reply

amalcon5y ago

Concrete-ish but still simple simple version: If you visit example.com, close the tab, and then load a page with an ad on it, both parties would love to show you an ad for whatever example.com is selling. If example.com has a tracking pixel for the ad domain, then this is trivial to make happen.

1 more reply

Macha5y ago

The images are on other domains used by advertiser or adtech company tracking, not for the website actually showing the ads.

newscracker5y ago

It’s just another way to do third party tracking, and could be loaded from a third party site.

asicsp5y ago

Not sure if it is the default setting on Firefox, but they show up as something like 'tracking image' for me.

whalesalad5y ago· 12 in thread

This is a great solution to a problem that seems to becoming more prevalent. Reminder to devs that bolted on third party scripts should not be in the critical path. Meaning, if you are doing something like capturing a click event in a Google analytics handler and blocking the redirect until you’ve tracked the click - you’re going to have a bad time. Many tracking scripts are designed for this and will gracefully/silently fail via something like an array push mechanism but I’ve encountered the opposite as well.

Being an indie dev with a pihole setup has been tough - I’ve gotta turn it off a lot for various client projects - but it’s also helped me build more resilient applications that work just as well for people who don’t have trackers enabled.

duxup5y ago

>I’ve gotta turn it off a lot for various client projects

As a web dev I'm running into a lot of security products dorking up web projects and processes these days. It seems to be increasing.

I've got customers with security software or other privacy related tools that are constantly 'trying' to do the right thing ... but just become support ticket overhead for me.

It's ULTRA frustrating at this point.

I've run into several customers now whose email scanners not just block emails arbitrary, but also follow links (fine by me) ... and even SUBMIT A FORM (NOT ok). Presumably to avoid some malware delivery, but now they've submitted something to us on a one time use form...

So just sending them an email means their software submits accept or decline options on a form (with our without the email reaching them) and we get a ton of "but I didn't get the email and I didn't decline anything".

Meanwhile the end customer is too technically behind the ball to entirely understand what is going on, and some ultra aggressive IT admin just keeps doing it. If you have a lot of customers it just seems to never end.

I kinda want to abandon email because of it but there's not a lot of good options.

Other issues include some unknown software installed by someone's kid (their IT guy) that blocks rando boring API calls ... the list never seems to end.

I support these privacy / security initiatives 100%, we don't do any insidious tracking or anything like that, but it is starting to hit entirely innocuous stuff.

stinos5y ago

Read this and replace "web" with "desktop" and large parts are still spot on, wrt virus scanners and the likes. We work on a product of which the installation is a bit complicated because it needs to install a bunch of other things. 95% of the time that fails the reason is some overly active security tool which messes up (the other 5% mainly machines which haven't been updated for years) To the point that we've started wondering if we wouldn't just start requiring dedicated machines or at least without any of that software, or even just ship PCs with the application pre-installed as it would likely turn out cheaper. Unfortunately that is not really an option as a web dev, so that situation is even worse..

1 more reply

cmeacham985y ago

What crazy-tier security software automatically SUBMITS A FORM on incoming emails? Please tell me so I know to avoid it at all costs.

How does this not break large parts of the existing web, ex. 80+% of password reset mechanisms?

reaperducer5y ago

Being an indie dev with a pihole setup has been tough - I’ve gotta turn it off a lot for various client projects

When you get enough established paying clients, consider firewalling work gear from home gear.

My client work computers are not my personal computers. My client computers have their own router that is separate from my personal router. At one time I had my personal internet on cable, and my clients on DSL, but unfortunately that's not possible where I am now.

I get a lot of peace of mind from knowing the two are isolated from one another. The only thing they share is a desk. But when work time is done, client laptops go into the closet. Helps with the work-home balance, which is harder working from home.

xoa5y ago

Any particular reason you don't just use VLANs? It sounds like you're describing a textbook case for them. Nearly any routing software should have a firewall too and the whole point is handling layer 3. Even for purely your own stuff segmenting off various devices into their own subnets can still be handy. If you want you even with a single WAN connection you could do something like get a cheap $5/mo VPS|droplet|etc, run wireguard on it, then route all traffic from a given VLAN through it. That'd give you similar WAN isolation.

1 more reply

algesten5y ago

If you got good enough router/access points, you could create separate VLANs for client vs private.

Thinking about it, I might just do that when I get back home :)

ethagnawl5y ago

> Being an indie dev with a pihole setup has been tough - I’ve gotta turn it off a lot for various client projects

I have a family member who works in marketing and am regularly asked to either turn off the pihole or add a new URL to the ignored list for exactly this reason.

McDyver5y ago

You can create groups in pihole and select which devices can bypass it. I'm not sure if you can assign specific lists per group, though

1 more reply

mosselman5y ago

The easiest way around this is to install a secondary browser (or use a profile in firefox, but that is cumbersome) for work. They could use a different DNS provider in that browser. I use Brave for this and Firefox for my private stuff.

Or they could ask their employer to pay for a VPN services that comes with DNS. Your family member will then have an easy to understand and easy to spot (VPN is ON) way to 'go into work mode' and out of it for private.

2 more replies

godshatter5y ago

As a person who has been using NoScript or the equivalent for years now, I appreciate this. It also helps out your clients. Instead of a blank page or a broken one, I would now presumably see a functioning page. While they may not get any ad revenue through me, I can't buy their product if they don't let me on the site. Or review it, or tell people about it, etc. There would be a chance now that I would come away from their website with a positive impression instead of hitting the back button and trying the next search result or just writing them off completely.

If you care about privacy at all, the web is a very broken place.

Kimitri5y ago

Blocking events until they are handled by the tracker's event queue is quite a common problem when using PiHole. It would be nice if those event handlers were registered using Google Tag Manager as it would mean that those event handers would never be registered if trackers are blocked.

By the way, I use VPN to bypass PiHole when I encounter these problems. It's a lot less hassle than switching the sinkhole off/on.

goalieca5y ago

I’m unable to use my banks app because the tracker being blocked causes an error that fails very loudly and blocks login. I refuse to whitelist it in pihole.

newscracker5y ago· 3 in thread

> The SmartBlock stand-ins are bundled with Firefox: no actual third-party content from the trackers are loaded at all, so there is no chance for them to track you this way.

Those third party scripts may not be able to track, but I wonder if the act of loading the stand-in scripts quickly (?) from within Firefox would lead to other issues.

> We also want to acknowledge the NoScript and uBlock Origin teams for helping to pioneer this approach.

Not to belittle the effort by others and other projects, but these two extensions, along with some others (like Privacy Badger), have helped users immensely in protecting themselves.

wisniewskit5y ago

Hi, lead SmartBlock dev here. My regular job at Mozilla involves diagnosing web sites for web compatibility issues, so I definitely share your concerns -- I routinely see sites relying on scripts loading in a specific order, but not coding themselves in a way that ensures that they actually do.

I haven't received any reports so far during the six-month-or-so nightly cycle where SmartBlock was only on nightly builds, so I'm optimistic. In the worst case we might be able to just add in an artificial delay to fix that, but of course I'd rather waste user's time like that unless that's 100% necessary.

And ultimately, problems are at least as likely (in my experience) to manifest with scripts loading too slowly, or not loading at all due to random networking hiccups.. many sites just aren't very tolerant at all of script loading failures.

jefftk5y ago

> I wonder if the act of loading the stand-in scripts quickly (?) from within Firefox would lead to other issues.

That's essentially the same as if they are loaded from the browser cache. What sort of issues are you concerned about?

irae5y ago

> I wonder if the act of loading the stand-in scripts quickly (?) from within Firefox would lead to other issues.

Mozilla does everything in the open, if you care to look at their bugtracker you will probably find all the conversation there, pros and cons, etc.

Silhouette5y ago· 3 in thread

If this works, it will be a very welcome development. Firefox is still my preferred primary browser given who the competition is, but the number of normal, everyday sites I visit that don't work properly in Firefox has become irritating. It appears that quite a few of those problems are caused by the security/privacy blocking rather than a lack of other functionality in Firefox, and it's usually the blocking by Firefox itself rather than any relevant add-ons because disabling the latter doesn't solve the problem.

prower5y ago

Could you provide examples? For the few cases i've encountered, disabling Ublock Origins (before blacklisting the website forever) solves the problem.

Silhouette5y ago

Sorry, I haven't thought to bookmark any of them. I'm just talking about sites I'd come across while browsing, perhaps following some interesting links from sites like HN. But on a noticeable number of occasions now, dev tools confirm there are script errors that seem to come from identifiers being undefined and the like, and if I literally disable every add-on I'm using, they are still undefined (but only in Firefox, not other browsers). The changes to promote privacy in recent versions of Firefox seem like the most likely explanation at that point, though to be fair I have no hard evidence of that either.

emayljames5y ago

I have encountered a few issues with uBlock and annoyances filter breaking the chocolatey website (portable software provider) where it leaves the site with an overlay. I've seen this in a few other places too.

1 more reply

CA0DA5y ago· 3 in thread

"a number of common scripts" - I wish they would have linked to where to find the technical details of which scripts they are emulating. Anyone know where this can be found?

arthuredelstein5y ago

The main "engine" is here: https://searchfox.org/mozilla-central/source/browser/extensi...

The shims are here: https://searchfox.org/mozilla-central/source/browser/extensi...

And the config file for how they are used is here: https://searchfox.org/mozilla-central/source/browser/extensi...

290830113977785y ago

Isn't it in the rest of the sentence you didn't quote?

> In Firefox 87, SmartBlock will silently stand in for a number of common scripts classified as trackers on the Disconnect Tracking Protection List.

Which, I assume, would be pulled from here [0]

[0] https://disconnect.me/trackerprotection

oktoberpaard5y ago

I think the question was which of those trackers have a stand-in script (could be a subset of all blocked trackers) and what the stand-in script looks like.

disposekinetics5y ago· 2 in thread

Is this Firefox adopting LocalCDN/Decentraleyes, or am I totally misunderstanding what's going on.

oktoberpaard5y ago

It’s different, as Decentraleyes hosts a local copy of libraries like jQuery, while the new Firefox feature is about emulating tracking scripts with a minimal set of features to trick the site into thinking it is present.

disposekinetics5y ago

That's a great idea. Thank you for clarifying.

290830113977785y ago· 2 in thread

Based on the comparison shown between using the third party scripts with tracking, and using the smart block stand-in, I wonder if this could be an edge against Chrome? While the Google team can push the envelope, pay for whatever is necessary, and add their own standards (such as AMP, though that may be going away IIRC), they're likely stuck waiting on trackers just like Firefox was (on non-AMP pages).

oktoberpaard5y ago

I believe that the comparison was between blocking the tracking script with and without a stand-in.

jefftk5y ago

Yes: "Previously (left), the website tiny.cloud had poor loading performance in Private Browsing windows in Firefox because of an incompatibility with strong Tracking Protection. With SmartBlock (right), the website loads properly again, while you are still fully protected from trackers found on the page."

prower5y ago· 2 in thread

Wouldn't it be better to have it also when browsing non-privately?

wisniewskit5y ago

SmartBlock can only kick in when tracking content is actively being blocked by tracking protection. If you'd like that to be on all the time, you can turn strict (or custom) tracking protection on in all windows, but of course the trade off is that you'll likely experience more site breakage, like you might in private browsing windows.

go5611925y ago

The new 'trim referrer by default' in Firefox 87 [1] was already enabled in private mode only, some months/weeks ago. So maybe they will make it default everywhere after some weeks? Maybe after working out any kinks?

[1] https://news.ycombinator.com/item?id=26539673

EVa5I7bHFq9mnYK5y ago· 2 in thread

Anything "smart" and "intelligent" is by now firmly associated with "we are watching you" in my brain. Maybe not the case here ... let's hope.

kaba05y ago

How about reading what it is?

EVa5I7bHFq9mnYK5y ago

That's too much work. Is it good? I'll take your word for it.

1 more reply

kostko5y ago· 1 in thread

Why not add something to protect the web security? XSS protection ? CSRF protection? We could do those things in the browser and not in every website in existance…

Boltgolt5y ago

One word: Compatibility. There are already protections against XSS and CSRF build in, and adding stricter rules would cause sites to break. Do you want to maintain a list of all sites that need cross origin GET requests to function?

ybbond5y ago

The one major improvement of 87 for me is the "Highlight All" for search also display location in the scroll bar.

musicale5y ago

Tracking vs. privacy is an arms race and the current endgame looks like server-side tracking vs. VPNs/virtual clients.

I wonder what Mozilla's plan is for blocking/mitigating server-side tracking?

j / k navigate · click thread line to collapse

117 comments

57 comments · 12 top-level

UI_at_80x245y ago· 15 in thread

Next step (please): block all 1x1 sized images.

The transparent pixel tracking trick is common enough now that it should be blocked by default in all 'Private' modes.

jasode5y ago

>Next step (please): block all 1x1 sized images.

If you're not aware, the HTTP protocol specification[1] doesn't have a technical way of knowing ahead of time if it's a 1x1 tracking pixel.

So the remaining realistic options are:

(1) block ALL <img> tags downloads which then blocks any 1x1 tracking pixels

(2) allow <img> tags but block some (and maybe most but not all) 1x1 pixels via a blacklist of url domains (e.g. doubleclick.net) ... and/or heuristics based on the "style" attribute

The (1) already happens in many email clients that render HTML.

The (2) is happening with the ongoing cat & mouse game with AdBlock, EasyList, etc

[1] https://www.google.com/search?q=http+protocol+request+get+sy...

vlovich1235y ago

3 more replies

dekerta5y ago

How about this:

- The browser does not load any images by default. <img> tags are replaced by gray rectangles

- User must click on the placeholder rectangle to load the image

- User can add image URLs to a whitelist so they load by default

4 more replies

eli5y ago

(1) happens in relatively few email clients. Every major client loads images by default except Thunderbird and it is not common.

5 more replies

MozNoz5y ago

https://blog.mozilla.org/security/2021/01/26/supercookie-pro... partitions the image cache by the site being visited.

ape45y ago

Yes the origin of tiny images is more important (and is dealt with now)

metalliqaz5y ago

... and tracking pixels would become 1x2, meanwhile actual 1x1 images used for formatting would stop working

falcolas5y ago

> 1x1 images for formatting

Huh? People still do this? Designers, I swear.

1 more reply

FalconSensei5y ago

> actual 1x1 images used for formatting would stop working

I see that as a feature

kgwxd5y ago

Is that something used on web sites? I've only heard of that in emails. What purpose would that server to a site you're already visiting?

twobitshifter5y ago

Look into Facebook pixel. Your browser is hitting this almost everywhere.

https://blog.hootsuite.com/facebook-pixel/

1 more reply

amalcon5y ago

1 more reply

Macha5y ago

The images are on other domains used by advertiser or adtech company tracking, not for the website actually showing the ads.

newscracker5y ago

It’s just another way to do third party tracking, and could be loaded from a third party site.

asicsp5y ago

Not sure if it is the default setting on Firefox, but they show up as something like 'tracking image' for me.

whalesalad5y ago· 12 in thread

duxup5y ago

>I’ve gotta turn it off a lot for various client projects

As a web dev I'm running into a lot of security products dorking up web projects and processes these days. It seems to be increasing.

I've got customers with security software or other privacy related tools that are constantly 'trying' to do the right thing ... but just become support ticket overhead for me.

It's ULTRA frustrating at this point.

I kinda want to abandon email because of it but there's not a lot of good options.

Other issues include some unknown software installed by someone's kid (their IT guy) that blocks rando boring API calls ... the list never seems to end.

I support these privacy / security initiatives 100%, we don't do any insidious tracking or anything like that, but it is starting to hit entirely innocuous stuff.

stinos5y ago

1 more reply

cmeacham985y ago

What crazy-tier security software automatically SUBMITS A FORM on incoming emails? Please tell me so I know to avoid it at all costs.

How does this not break large parts of the existing web, ex. 80+% of password reset mechanisms?

reaperducer5y ago

Being an indie dev with a pihole setup has been tough - I’ve gotta turn it off a lot for various client projects

When you get enough established paying clients, consider firewalling work gear from home gear.

xoa5y ago

1 more reply

algesten5y ago

If you got good enough router/access points, you could create separate VLANs for client vs private.

Thinking about it, I might just do that when I get back home :)

ethagnawl5y ago

> Being an indie dev with a pihole setup has been tough - I’ve gotta turn it off a lot for various client projects

I have a family member who works in marketing and am regularly asked to either turn off the pihole or add a new URL to the ignored list for exactly this reason.

McDyver5y ago

You can create groups in pihole and select which devices can bypass it. I'm not sure if you can assign specific lists per group, though

1 more reply

mosselman5y ago

2 more replies

godshatter5y ago

If you care about privacy at all, the web is a very broken place.

Kimitri5y ago

By the way, I use VPN to bypass PiHole when I encounter these problems. It's a lot less hassle than switching the sinkhole off/on.

goalieca5y ago

I’m unable to use my banks app because the tracker being blocked causes an error that fails very loudly and blocks login. I refuse to whitelist it in pihole.

newscracker5y ago· 3 in thread

> The SmartBlock stand-ins are bundled with Firefox: no actual third-party content from the trackers are loaded at all, so there is no chance for them to track you this way.

Those third party scripts may not be able to track, but I wonder if the act of loading the stand-in scripts quickly (?) from within Firefox would lead to other issues.

> We also want to acknowledge the NoScript and uBlock Origin teams for helping to pioneer this approach.

Not to belittle the effort by others and other projects, but these two extensions, along with some others (like Privacy Badger), have helped users immensely in protecting themselves.

wisniewskit5y ago

jefftk5y ago

> I wonder if the act of loading the stand-in scripts quickly (?) from within Firefox would lead to other issues.

That's essentially the same as if they are loaded from the browser cache. What sort of issues are you concerned about?

irae5y ago

> I wonder if the act of loading the stand-in scripts quickly (?) from within Firefox would lead to other issues.

Mozilla does everything in the open, if you care to look at their bugtracker you will probably find all the conversation there, pros and cons, etc.

Silhouette5y ago· 3 in thread

prower5y ago

Could you provide examples? For the few cases i've encountered, disabling Ublock Origins (before blacklisting the website forever) solves the problem.

Silhouette5y ago

emayljames5y ago

1 more reply

CA0DA5y ago· 3 in thread

"a number of common scripts" - I wish they would have linked to where to find the technical details of which scripts they are emulating. Anyone know where this can be found?

arthuredelstein5y ago

The main "engine" is here: https://searchfox.org/mozilla-central/source/browser/extensi...

The shims are here: https://searchfox.org/mozilla-central/source/browser/extensi...

And the config file for how they are used is here: https://searchfox.org/mozilla-central/source/browser/extensi...

290830113977785y ago

Isn't it in the rest of the sentence you didn't quote?

> In Firefox 87, SmartBlock will silently stand in for a number of common scripts classified as trackers on the Disconnect Tracking Protection List.

Which, I assume, would be pulled from here [0]

[0] https://disconnect.me/trackerprotection

oktoberpaard5y ago

I think the question was which of those trackers have a stand-in script (could be a subset of all blocked trackers) and what the stand-in script looks like.

disposekinetics5y ago· 2 in thread

Is this Firefox adopting LocalCDN/Decentraleyes, or am I totally misunderstanding what's going on.

oktoberpaard5y ago

disposekinetics5y ago

That's a great idea. Thank you for clarifying.

290830113977785y ago· 2 in thread

oktoberpaard5y ago

I believe that the comparison was between blocking the tracking script with and without a stand-in.

jefftk5y ago

prower5y ago· 2 in thread

Wouldn't it be better to have it also when browsing non-privately?

wisniewskit5y ago

go5611925y ago

[1] https://news.ycombinator.com/item?id=26539673

EVa5I7bHFq9mnYK5y ago· 2 in thread

Anything "smart" and "intelligent" is by now firmly associated with "we are watching you" in my brain. Maybe not the case here ... let's hope.

kaba05y ago

How about reading what it is?

EVa5I7bHFq9mnYK5y ago

That's too much work. Is it good? I'll take your word for it.

1 more reply

kostko5y ago· 1 in thread

Why not add something to protect the web security? XSS protection ? CSRF protection? We could do those things in the browser and not in every website in existance…

Boltgolt5y ago

ybbond5y ago

The one major improvement of 87 for me is the "Highlight All" for search also display location in the scroll bar.

musicale5y ago

Tracking vs. privacy is an arms race and the current endgame looks like server-side tracking vs. VPNs/virtual clients.

I wonder what Mozilla's plan is for blocking/mitigating server-side tracking?

j / k navigate · click thread line to collapse