[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20317 [Applications/Tor Browser]: Key permissions by first-party domain instead of origin (proposal)



#20317: Key permissions by first-party domain instead of origin (proposal)
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-linkability           |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Description changed by arthuredelstein:

Old description:

> In Firefox (and current Tor Browser), permissions are keyed by origin.
> That is a tracking vector -- for example, on Google maps, if click on the
> "Show your Location" button,
>
> [[Image(location.png)]]
>
> The browser asks "www.google.com: Would you like to Share your Location
> with this site?" If we choose "Always Share Location", then this
> permission is stored, keyed to www.google.com.
>
> [[Image(permission.png)]]
>
> Now the UI says "this site", which is, to my ear, synonymous with "first
> party domain". But now on other sites, any third-party object from
> www.google.com" (such as a Google Analytics script or a Google+ button)
> can know our location. And, further, it can expose a function call that
> any other script on the same page could call to obtain our location. So
> in practice, we have given permission for numerous domains to obtain our
> location. And the very existence of the unusual permission setting, or
> any other, helps to track us.
>
> So I would like to propose that we key every permission by first-party
> domain instead of origin domain. That means that the Permissions UI
> doesn't need to change much at all. We are still assigning each
> permission to a single domain. But this way, granting a permission to
> google.com would not leak to every other site.
>
> And I would argue that this is already the perception of most users when
> they see a permission requested for "this site". Most users are not
> knowledgeable about the subtleties of third-party scripts -- they expect
> a permission to apply to the site they are visiting (the first party).
>
> I would suggest we should write this patch for ESR52, which means using
> Origin Attributes and the pref "privacy.firstparty.isolate". Then we can
> hopefully uplift to Mozilla.

New description:

 In Firefox (and current Tor Browser), permissions are keyed by origin.
 That is a tracking vector -- for example, on Google maps, if click on the
 "Show your Location" button,

 [[Image(location.png)]]

 The browser asks "www.google.com: Would you like to Share your Location
 with this site?" If we choose "Always Share Location", then this
 permission is stored, keyed to www.google.com.

 [[Image(permission.png)]]

 Now the UI says "this site", which is, to my ear, synonymous with "first
 party domain". But now on other sites, any third-party iframe from
 www.google.com (such as created by a Google Analytics script or a Google+
 button) can know our location. And, further, it can expose a function call
 (using iframe postMessage tricks) that any other script on the same page
 could call to obtain our location. So in practice, we have given
 permission for numerous domains to obtain our location. And the very
 existence of the unusual permission setting, or any other, helps to track
 us.

 So I would like to propose that we key every permission by first-party
 domain instead of origin domain. That means that the Permissions UI
 doesn't need to change much at all. We are still assigning each permission
 to a single domain. But this way, granting a permission to google.com
 would not leak to every other site.

 And I would argue that this is already the perception of most users when
 they see a permission requested for "this site". Most users are not
 knowledgeable about the subtleties of third-party scripts -- they expect a
 permission to apply to the site they are visiting (the first party).

 I would suggest we should write this patch for ESR52, which means using
 Origin Attributes and the pref "privacy.firstparty.isolate". Then we can
 hopefully uplift to Mozilla.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20317#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs