CanvasBlocker icon indicating copy to clipboard operation
CanvasBlocker copied to clipboard

Published 20 hours ago verified publisher icon kkapsner

Whitelist confusion

Open teknowledgist opened this issue 3 years ago • 6 comments

Description

  1. It is unclear how to add something to the whitelist.
  2. Adding a site to the whitelist should mean that the site is trusted and it's OK for the fingerprinting API calls to work without interference. However, once in the whitelist, all the protections are active (same as they are for sites not whitelisted).

Expected Behavior

  1. There should be an explicit "add to whitelist" button, or a "(whitelisted)" indicator on the icon or in the menu.
  2. When whitelisted, a site should have all protections unchecked.

Current Behavior

  1. Clicking the fingerprint icon changes it from a green check which can indicate "good" or "yes" to a red "x" which can indicate "bad" or "no". It's not clear if green means "good, you are protected from fingerprinting" and red is "bad, you aren't protected from fingerprinting" or if green means "this site is free to do as it wishes" and red means "this site is blocked from performing some tracking behaviors".
  2. That confusing is made worse by inspecting the whitelist where it shows that all "API protections" are active for a URL that displays the red "x". What does that mean for sites not in the whitelist (and displaying the green check)?

Possible Solution

The green check/red "x" are fine as long as they are consistent with the whitelist settings. There should also be an indicator for some protections but not all. maybe a yellow "?" The whitelist settings should be directly accessible from the icon/menu too, and that is especially true once a site is on the whitelist. Once a site is whitelisted, it would be most efficient to allow the individual protections to be enabled/disabled directly from the popup menu itself. Opening the settings tab and then the whitelist tab and then finding the site for the tab you started from is too much for a simple set of binary options for the current site.

teknowledgist avatar Jun 16 '22 16:06 teknowledgist

I agree wholeheartedly. I cannot manage to figure out how to add sites to the whitelist, and I have looked all through the settings. Thought I was just being dense. Some assistance would be greatly appreciated.

ark222 avatar Jun 30 '22 00:06 ark222

Never mind, found it. Agree that it is awkward, and unexpected not to find it in the settings.

ark222 avatar Jun 30 '22 00:06 ark222

Sorry for the late answer.

Hm... the whitelisting seems not intuitive enough. It's for me... but I built the whole thing ;)

Did you two notice the fingerprint icon in the URL bar? That's the fastest way to whitelist something. Maybe I have to move the functionality from there to the "normal" icon that's always shown.

kkapsner avatar Jul 05 '22 21:07 kkapsner

Hi. I had not noticed the icon in the URL bar, but I would still argue that it is also not immediately clear what to do. Clicking it shows me a few messages and icons, but only if I hover over the domain name within the messages do I see what appears to be options. Maybe adding to the documentation about the icon and how to add items to the whitelist would be sufficient, but I bet the interface can be improved too.

I like that hovering over the options there does show what it does. I think the "Inspect Whitelist" tab could be clarified and made more efficient.

For example, the text, Shows which API protections are active for a given site. If you remove a checkmark for an API this API will be not protected for the selected site.

  1. The majority of folks have no idea what an API is.
  2. What is protected, the API, or the user?

I would change the text to something like This shows which fingerprint protections are active for sites. Unchecked means that the site can use that particular function to (at least partially) fingerprint your browser. Checked means that option for uniquely identifying you is unavailable to the site. Also make it a table:

Site/URL All APIs  Canvas API Audio API History API DOMRect API SVG API Screen API
Github.com [x] [x] [x] [x] [x] [x] [x]

That's what I have at the moment. I'll think about some other GUI improvements.

Thanks!

teknowledgist avatar Jul 06 '22 12:07 teknowledgist

How do you remove items from the whitelist? Clicking on 'inspect whitelist' in settings shows all the domains/URLs I have once whitelisted, but there is no remove button. I can just uncheck all the items, but the domain/URL forever remains in the list.

donnydark0 avatar Mar 10 '23 11:03 donnydark0

@donnydark0: you have to check all items. If you then reload the page the domain/URL is gone.

@teknowledgist: thanks for the input and the suggestions. I will see how I can implement that.

kkapsner avatar Mar 14 '23 19:03 kkapsner