cover-your-tracks
cover-your-tracks copied to clipboard
EFForg
Disabling on uBlock Origin gives inaccurate results
@gorhill I could not open this on https://github.com/gorhill/uBlock/issues/new because
An owner of this repository has limited the ability to open an issue to users that have contributed to this repository in the past.
but this is a uBlock Origin issue.
Scenario
Install uBlock origin, and visit the EFFs PanoptiClick site: https://panopticlick.eff.org/.
Click on the uBlock Origin icon and disable for this site. Click Test Me.
Result
The result shown is partial protection for blocking ads and trackers.
Expected Result
The expected result should show no protection against ads and trackers.
Explanation
Panopticlick is built to support addons like uBlock Origin as well as heuristic blockers such as Privacy Badger. The way this works is that it forwards the user through a number of first-party domains that include third-party trackers, in order to trigger the heuristic 'learning' of Privacy Badger.
At the end of the test, the results page communicates with the third-party trackers via the postMessage API to determine which first party domains were loaded. Since uBlock Origin has not disabled all the interstitial first-party domains, the third parties report that they were loaded only on https://panopticlick.eff.org/, since they were blocked on the other domains.
Further Complication
If a user runs the above scenario with Privacy Badger installed alongside uBlock Origin, uBlock Origin blocks the third party resources from loading on all interstitial first parties, thus never giving Privacy Badger the oppportunity to do heuristic learning. This gives a weaker result than expected.
Proposed Solution
Make uBlock Origin aware of first-party groupings of domains. When a user disables the extension on https://panopticlick.eff.org/, they probably intent to disable it for the entirety of the PanoptiClick site. This includes these other first-party domains:
- firstpartysimulator.org
- firstpartysimulator.net
Make uBlock Origin aware of first-party groupings of domains
Asking uBO to implement a fix for a specific site does not seem right to me. What about all other blockers? NoScript? uMatrix? etc.
Why not just provide instructions that both firstpartysimulator.org and firstpartysimulator.net should be whitelisted in a user's blocker for the test to work?
@gorhill we're not asking for a specific exception to Panopticlick. You could, for instance, incorporate Privacy Badger's Multi-Domain First Party list to group domains when disabling the extension:
https://github.com/EFForg/privacybadger/blob/master/src/js/multiDomainFirstParties.js
I would need to think how to fit this in uBO. Automatically whitelisting a bunch of other domains when whitelisting one of them does not sound like it's something a user would necessarily want even if they are all under the same authority -- this would have to be opt-in at the very least.