Detect and enforce higher privacy standards inside popups (such as blocking access to cookies) #2165
Comments
|
Could you explain in more detail? What led you to make this suggestion? |
|
Oh, sure. What led me to make this suggestion was all the ads popups that open when visiting some websites (torrent-sharing and porn websites do this all the time) and lead you down through a rabbit-hole of redirects and cookies. Like I said, they open in popups and their base domains are always different to the original website base domain, so I thought it would make sense to just block them once and for all. BUT, now that I think a little more about it, it may be problematic: It seems like (at least) Firefox works in a strange way when it comes to new tabs and popups, with new tabs behaving like popups sometimes, so it may be hard to separate them apart, but if it's actually possible to separate them, then I think it does makes sense to block every cookie from these websites. |
ghostwords
added
enhancement
privacy
|
Can you post a specific instance of a site that has the behavior you want to block? The most common thing I've seen in the wild is some sort of invisible overlay that opens a new tab when you click on it. This seems very hard to stop (probably indistinguishable from normal about:blank links) and somewhat outside of Privacy Badger's jurisdiction. If there's something specific that we can do without too much effort, we should do it; otherwise I'll close this issue. |
You're completely right about that, but let me show something that I've always found interesting (I'm not a developer, so bear with me). So, like I said:
Now take a look at this link to a Instagram profile at the footer of The Atlantic's website. It's a target="_blank" link and so should always open in a new tab:
(Any other website would do, I just needed a target="_blank" link) And here it's what happens when you click on it with the left mouse button and take a look at uBlock Origin's Events logger:
Now here it's what happens when you click on it with the right mouse button (or just the middle mouse button) and select "Open link in new tab":
See the difference? Sometimes Firefox/uBlock treats and logs a target="_blank" link just like... a new tab, and sometimes it treats it like "about:blank"/popup. In fact, there are some issues in uBlock's git about this matter: 3282, 3165 So, like I said, it may be hard to separate them, and that's why I added the "(if) its base domain is different to the referrer base domain" part, to try to prevent some misbehavior. But it isn't perfect, of course: If the user decides to open a legitimate link using the "Open link in new tab" option and the target domain is different, then it would also get blocked, despite the fact that it's a legitimate "popup". I still like the original idea, so if it isn't possible to get around that Firefox problem (Does it only affect Firefox?), I would rework the idea: Instead of:
This:
So, let me now what you think and if I was clear enough. * I am not sure about the "referrer" part: Should it be "the referrer base domain" or "to the base domain from the origin". So, different from the referrer or from the origin? |
|
I think the hard part here is figuring out what is and what isn't a popup. If we could figure out what is a popup reliably, why wouldn't we just prevent the entire popup from loading? As it stands, if a sneaky popup opens past your browser's popup defenses, Privacy Badger will learn about the trackers in that popup, and will eventually start blocking them. |
Hm, I guess looking at the domain like I proposed kinda solves that, doesn't it?
But shouldn't PB just block trackers? Blocking an entire website goes far from that, from what I can see. If it's the case to start blocking entire websites, I would try almost the same thing: to look at the popup base domain, see if it's different to the referrer (or is it the origin?) base domain and if the popup domain is already in a block list (yellow or red). If it's from a different base domain and it's already in a block list, just block it entirely. Then something can be added to both approaches (be it just blocking cookies or blocking the entire website) : If it isn't in a block list but its base domain is different to the referrer base domain, start learning how often that domain opens in a popup. If it is only seen loading as a popup, put it in the red list, so that the next time it appears it will be blocked. |
ghostwords
changed the title
|
Closing as building (a kind of) popup blocking takes us too far afield from Privacy Badger's feature set, at this time anyway. Do feel free to post specific examples (as in page URLs, popup URLs, maybe screenshots) that this feature is meant to address. |
|
I also suggest looking into existing extensions such as Popup Blocker (strict). |
This would take care of tracking from those ads that opens in popups. The "(if) its base domain is different to the referrer base domain" is important, though, as blocking when it's from the same base domain could block cookies from a visited website just because the user opened a link in a new tab.
The text was updated successfully, but these errors were encountered: