Thank you François for the explanation. If you are reading this, did you evaluate various information sources (Ghostery, etc.) before settling on Disconnect? It would be valuable to everyone to know the results of that research; users mostly have to trust the various vendors without knowing how effective they really are.
OT: Does anyone understand why Mozilla publishes valuable information like this over random personal blogs, rather than a central place like a knowledge base (e.g., a wiki)? It makes discoverability, both when the information is published and more importantly when I need it, very difficult.
I know about Planet Mozilla, their aggregated blog feed, but the signal-to-noise ratio is much too low (which isn't a criticism of the content, I just don't have time or interest in that much detail about Mozilla).
It's not intentional. Granted, it's not like Mozilla itself decided that fmarier's blog was the best place to put this, he just posted it because it's his blog and he's a smart person. :D
It's actually consequence of a few things (including things I'm not aware of), like:
1. There is no one team dedicated to writing detailed technical documentation at the level you're talking about, and it's not required as part of submitting a patch.
2. The details about these implementations change often, making it harder to keep what documentation there is up-to-date.
3. Firefox is so friggin' big. It'd be a _ton_ of documentation that most users (read: not developers) wouldn't care about.
We have a wiki, but it's more useful to contributors and staff than it is to the general public: https://wiki.mozilla.org
It's also quite hard to file a bug. I did just that the other day, didn't want to make an account tried to use my github account, failed at that eventually did make an account. It's a pretty annoying bar to have to create an account with some system just to report a bug (which one should be able to do even anonymously). I understand you're trying your very best and work extremely hard but these little details all taken together add up to a fragmented and inconsistent picture which is something I really find a pity because Mozilla is an absolutely excellent product from a group of extremely capable people.
Really sorry about that -- there was a snag in the case when someone has multiple github emails and no bugzilla account.
It was fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=1223590 and that should be going live this week (last weak was a rarity, no code push).
As far as I know, people working on bugzilla have github based login on their radar. Don't ask me for a roadmap though, but people hanging out in #bmo on irc.mozilla.org should be able to fill in details.
Fully anonymous login is an open door to way more spam that we want to handle ;)
Ah, that is exactly the case, I have one for 'business' and one for 'private' stuff. Thank you for the clarification, it was quite a confusing situation because you ended up in an endless merry-go-round.
From years watching and occasionally contributing a tiny bit to Mozilla, I got that sense.
I understand that creating and maintaining technical documentation takes more resources than most people assume, but there are compromise solutions ...
> it's not like Mozilla itself decided that fmarier's blog was the best place to put this, he just posted it because it's his blog and he's a smart person.
... instead of posting such things to personal blogs, where few people can discover them, how about just posting the exact same things to a central wiki? For the same amount of work by the authors, they would be far more discoverable by people who need the information; the authors would reach a much wider audience. Wiki updates could publish in Planet Mozilla. (I'd make the wiki editable only by Mozilla employees, to reduce the burden on authors who might not want to get into debates with the world over what they post.)
It may not be authoritative documentation, but it would be far better than what's available now and at little additional cost. You can make clear to readers that it's ad hoc documentation (e.g., call it the Beta Wiki, put a notice at the top of each page, etc.), and at the top of each page post the date the page was last revised in a way that nobody will overlook.
Right now you are wasting a lot of great knowledge by hiding it where nobody will discover it; it's like developing great features but hiding them in the interface where nobody will find them.
> Firefox is so friggin' big ...
It is, but to be fair there are many comparable or larger software projects out there where detailed technical documentation is more discoverable. Windows comes to mind.
All easier said than done. Good luck to you guys; you do great work.
> did you evaluate various information sources (Ghostery, etc.) before settling on Disconnect?
Monica Chew, the engineer who did the bulk of the work on this feature, did consider a number of available lists before settling on this one. The Disconnect list was the best freely-licensed (GPL) one at the time. Also, they now have a web form to let users suggest new trackers to block (https://disconnect.me/trackerprotection) so it should get even better.
> Does anyone understand why Mozilla publishes valuable information like this over random personal blogs, rather than a central place like a knowledge base (e.g., a wiki)?
It's pretty tricky to share information in the "right place" because of the amount of information produced by everyone at Mozilla. Someone's preferred channel is often another person's blind spot.
How ironic that I only discovered the information, present the whole time in the wiki, via your blog!
Thanks for taking the time to respond and to write up the blog post in the first place. I hope what I wrote was taken as intended, referring to general practices and not to your efforts.
If you can't bear the firehose, I don't know of anything close to a "knowledge base (e.g., a wiki)" curating Mozilla news. Maybe you could subscribe to https://hacks.mozilla.org/ and https://blog.mozilla.org/ , but yeah you'll only scratch the surface and e.g. would have missed this post.
I'm curious how this behaves in relation to blocking third-party cookies via Settings→Privacy→Accept third-party cookies: Never. I've had this turned on for a year or so.
Also, I wonder what this would catch that uBlock Origin wouldn't? I assume that if it's "good enough" then it's probably the better solution to use in Firefox, especially with the new extension format and multi-process (e10s) coming eventually in Firefox.
> I'm curious how this behaves in relation to blocking third-party cookies via Settings→Privacy→Accept third-party cookies
It doesn't. The option you mention is about cookies acceptance on a first-party vs. third-party policy; trackingprotection is about blocking regular http requests on a blacklist basis.
> Also, I wonder what this would catch that uBlock Origin wouldn't? I assume that if it's "good enough" then it's probably the better solution to use in Firefox, especially with the new extension format and multi-process (e10s) coming eventually in Firefox.
I perceive it as exactly this too, a "simple and good enough" solution. Get uBlock Origin (or any other blocker) if you want the bells and whistles and more {white/black}list control.
Nit: e10s has no problems with uBlock Origin at all, it's still working within my e10s-enabled Developer Edition 44.0a2.
Ah, you're right about the cookies thing. Regarding uBlock Origin and e10s, you've never gotten the dialog "uBlock Origin is making Firefox run slowly" or similar? I believe that's related to e10s...
In a sense, this feature/dialog is "close" to e10s as it's under the same umbrella at Mozilla, the "Snappy" [1] effort to work on performance. But it's not the same:
- e10s is about making each browser tab an independent process [2]. Some addons have glitches with it, but uBlock Origin is not one of them.
- The feature you saw just proactively tells users about addons degrading performance and help them disable them or adjust their expectations. See [3]. EDIT hmmm, you are right, actually! The bug explicitly mentions the goal to "identify add-ons that are causing jank because of their CPOW usage", and CPOW is an e10s thing [4]. TIL, thanks :)
Sounds like this will block hosted analytics solutions like Google Analytics, but the same data is available to the first party site if they roll their own analytics. In this case you're not really adding any protection for the user, just disadvantaging smaller publishers in understanding how their site is being used
> block hosted analytics solutions like Google Analytics
That's the goal. The pattern-of-life[1] analysis that GA enables is an incredible long-term risk.
Allowing one entity to log almost all of your internet activities into one aggregated database creates a massive amount of potential-social-power. Even if Google isn't currently converting that potential-power into an abusive form, the very existence of that data in one location creates a huge temptation for thieves and governments with national security letters.
> roll their own analytics
Server logs only give you a view of the traffic to one website. There is a huge difference between one business knowing you use their service and a 3rd party carefully logging your entire daily schedule.
[1] I highly recommend reading http://labs.rs/en/metadata/ which unfortunately didn't get much attention when it was recently posted to HN. I suspect most people are still thinking way too small when judging what is possible from "just metadata".
Google takes data from other sites/sources into account when it delivers data via google analytics, it is unquestionably tracking users from site to site.
It adds plenty of protection for the user to block it.
I have no idea how people can look at the demographic information GA delivers and then conclude it isn't tracking users around the web...
I use browser plugins to block ads and third-party trackers on all of my devices. I'm also a web developer, and I regularly set up Google Analytics accounts for my clients.
I agree that the proliferation of tracker blocking could be an issue for smaller publishers and businesses in the near future. But as a privacy-conscious internet user, I'm excited about the vacuum this might leave for better self-hosted options.
I said nothing about cookies. I said "third-party tracking". If I don't visit google's website and if they are tracking me on someone else's website then they are a third party. And I will block them if I can.
The issue that many of us are worried about is being tracked across the entire internet by a single entity who's site some of us don't even visit (definition of third party there). We don't care if this is done by what you call first party cookies, or what your call third party cookies, or measuring our mouse movements, or finger printing our browser, or just by watching us through our webcams/sending someone to our house to take notes we don't want it period. And we will block whatever means we can that these entities use to track us.
so this is really a cross-origin blocker + whitelist.
I wonder if google fonts and jquery CDN and such will get whitelisted. I don't think they should be, but not doing so will break websites even more than flash blocked by default.
I have to say if it's called "tracking protection" it leads to a false sense of security. Browser fingerprinting (and cookies) on the websites you visit still works. The ad-distributer might no longer track you, but sites still can.
A first counterattack on this might also be self-hosted tracking scripts that than push the data to google analytics or the ad-network or whoever demands that you let them track your users to use their service.
So now when I build a website and want to use a cookieless domain for assets, my site is going to be broken for Firefox users until I get it blessed by Mozilla?
I read the article? The new feature uses a whitelist provided by Mozilla to determine if a given site is allowed to load an asset from a given external hostname. Their example makes it seem like twitter gets to be blessed with being able to continue loading images, but there's no mention of what smaller publishers need to do to get added to the blessed list
Ahhh I see, so it's like a blacklist paired with a whitelist. I missed that sites not found on the first list would be unrestricted. Thanks for the explanation
OT: Does anyone understand why Mozilla publishes valuable information like this over random personal blogs, rather than a central place like a knowledge base (e.g., a wiki)? It makes discoverability, both when the information is published and more importantly when I need it, very difficult.
I know about Planet Mozilla, their aggregated blog feed, but the signal-to-noise ratio is much too low (which isn't a criticism of the content, I just don't have time or interest in that much detail about Mozilla).