Firefox 57's Speed Secret? Delaying Requests from Tracking Domains

An anonymous reader quotes ZDNet: A Mozilla engineer has revealed one of the hidden techniques that Firefox 57 -- known as Quantum -- is using to improve page load times... It delays scripts from tracking domains, such as www.google-analytics.com. The technique was developed by Mozilla engineer Honza Bambas, who calls it "tailing". It works by delaying scripts from tracking domains when a page is actively loading and rendering...

Tailing only briefly prevents the tracking scripts loading, rather than disabling them entirely. Page load performance is improved by saving on network bandwidth and computing resources while loading a page, in a way that prioritizes site requests over tracking requests. "Requests are kept on hold only while there are site sub-resources still loading and only up to about 6 seconds. The delay is engaged only for scripts added dynamically or as async. Tracking images are always delayed. This is legal according all HTML specifications and it's assumed that well built sites will not be affected regarding functionality," explains Bambas.

With adblocking this is not even an issue.

[Z00L00K]

Everyone that already runs adblocking won't notice this anyway.

Re: With adblocking this is not even an issue.

[guruevi]

What are you doing here then?

Re:

[BronsCon]

Browsing with "Ads Disabled" checked.

What, don't you have that option?

Re:

[Cajun Hell]

This site isn't anti-ad-blocking. (Or if it's trying to do that, it doesn't even slightly work, so people with ad-blockers haven't noticed.)

Re:

[guruevi]

I've gotten a few notices where the ad is supposed to be saying "you're blocking ads" with a message to turn it off. I have the option to disable ads (when I'm logged in) but I've blocked ads on this site ever since they started allowing full page-covering ads and and even one that attempted to use browser exploits to replace my home page.

Re:

[Antiocheian]

I'm not sure about that. Default adblocking filters do not block trackers.

Re:

[PPH]

So what's the difference between an advertising site and a tracking site? And what's to stop an advertiser/tracker from throwing some more obfuscation into their system?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[PPH]

Does this help?

Not really. Because from my computer's point of view, both sites do much of the same thing. They set and read cookies, upload images to my cache (so visits to other sites using the same image can deduce whether I've visited before), set values in HTML5 local storage and all sorts of similar things. So if someone can come up with a characteristic specific to tracking, I can block only those pages and allow the ads that support my favorite web sites. Instead of having to block everything.

Re:

[sound+vision]

He just gave you the characteristics particular to tracking. I don't think the mechanisms used to implement it differ much on the client side compared to plain, non-tracking ads. Your computer isn't going to know what the server does with the information it sends back. Or the intentions of the people controlling that server, or whoever they might sell the data to. There are, however, people dedicated to determining that. They maintain block lists broken down by category. The uBlock Origin plugin for Firefox

Block third-party resources

[tepples]

So if someone can come up with a characteristic specific to tracking, I can block only those pages and allow the ads that support my favorite web sites.

A site with ads but no tracking will have its own store front where advertisers can buy ad space. This process doesn't need to place third-party cookies or images on viewers' devices. Therefore, to block tracking, block the loading of resources from unaffiliated domains. Use the Public Suffix List [publicsuffix.org] to find which hostnames are part of the same domain, and add cookieless domains used for static resources [ravelrumba.com] to a whitelist if they're obviously operated by the same publisher. Yes, this breaks CDNs used to deliver w

Ads without tracking

[tepples]

So what's the difference between an advertising site and a tracking site?

A publisher* that doesn't track your browsing across multiple websites will sell its ad space directly to advertisers and host its own ads rather than handing the ad space off to a third party ad network or ad exchange. Daring Fireball [daringfireball.net] and Read the Docs [readthedocs.io] are examples.

* A "publisher" is a site that shows ads, and an "advertiser" is a company that pays a publisher for ad space.

Re:

[arth1]

I'm not sure about that. Default adblocking filters do not block trackers.

Who relies on default filters? Surely, people take a look every now and then to identify more items to block?

There's also EFF's privacy badger. Too bad it only works in a couple of browsers, and that it turns on the "do not track" (which doesn't stop tracking; it just gives an additional piece of data for more accurate fingerprinting).

Re:

[AmiMoJo]

Most users rely on block lists. They don't have the ability to write good filters, and simple ones are bypassed by advertisers using easy tricks like having a semi random URL.

For many users they are 99% effective with zero effort.

Re:

[arth1]

I see the value of blocklists as a starting point. But the AdBlock family of blockers all make it relatively easy to make your own additions based on the page you're looking at, as well as disabling rules that are irrelevant to you, never causing hits, and just burning cycles.
To me it seems like buying a guitar and never tuning it, relying on a store to do it for you every now and then. There are surely people who do that too, but I'd think the majority would prefer to do things themselves and get it righ

Re:

[Anonymous Coward]

don't run the default... duh.

abp only enables easylist by default.

https://adblockplus.org/subscr... [adblockplus.org]

you should run easylist+easyprivacy, any easylist specific to your country, fanboy annoyances, then whatever extras near the bottom of that list you want (nocoin, malware domains, spam404, etc).

Re:

[Darinbob]

Noscript will.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[CommanderRyalis]

Use privacy badger: https://www.eff.org/privacybad... [eff.org]

Re:

[kelemvor4]

You still need noscript on top of adblock+. I didn't believe that until I tried noscript myself. There's a ton of junk that adblock misses. On slashdot.org, adblock+ misses scripts from slashdotmedia.com, stacksocial.com, taboola.com, trustarc.com, ml314.com, rpxnow.com, crsspxl.com, stack-sonar.com, licdn.com, cloudfront.net, truste.com, janrain.com, pro-market.net, fsdn.com. That's the list of domains this slashdot page is loading scripts from, not counting whatever was blocked by adblock+.

Re:

[nyet]

The number of js sources /. refers to is ridiculous. This site used to be run by more or less decent people. Now it really is run by scumbags.

Re:

[cdxta]

I think another Speed Secret was by disabling our plug-ins. I remember reading an article a while ago about how ad-blocking in itself is one reason Firefox is slow and uses a lot of memory. Without everything having to be passed though an a 4MB pattern.ini file and nearly 1 MB elemhide.css file, of course it may be faster... A year or so ago I went though the ad-blocking list for Firefox on my PC and removed all rules with less than 5 hits which significantly cut down the list.

Clickbait article. Not related to speed

[Anonymous Coward]

The reporter is clueless about how browsers work. Rendering speed is not the same as loading time. As Mozilla said, the delay was added to improve paint performance, as trackers blocked the actual paint rendering. The page still loads with the same time, only the order of the scripts has been changed to show content faster and give a false illusion of speed.

Re:Clickbait article. Not related to speed

[not flu]

It isn't a false sense of speed at all, you really are getting the content you actually want faster.

How about just forbidding XSS entirely

[Anonymous Coward]

JS throwing requests all over the place got us into this mess in the first place.

Re:How about just forbidding XSS entirely

[Aighearach]

That's why I use both noscript and also uMatrix!

Unless I, the user, have a reason for wanting javascript I won't turn it on . And even if I do, I don't want your cross-site scripting! uMatrix prevents that. And if something really needs a third party script, I can turn on just the specific third parties that are related. For example, I might allow a few google domains if I'm intentionally loading a map, but if I'm not using the map I'm not going to turn those on. And even if I am, I certainly don't want the analytics.

It seems to be getting better, actually; 5 years ago almost every site had third party JS for important functions, now more and more sites are hosting their own scripts for core functionality.

Re:

[ls671]

That's why I use both noscript and also uMatrix!

Why would you use both?
You can configure uMatrix to block everything by default just like noscript does. It is only a simple rule to edit.

Save even more time and block them altogether

[Noishkel]

And why shouldn't we? No one wanted to be tracked. And even more corporatist a-holes like Google have persistently gone out of their way to obscure the end users ability to even know how the system works. Screw them. It's our hardware, and it's our data. If you have a problem with this then Google should release a version of their OS that you can pay and doesn't track us and avoid the situation entirely.

Re:

[Anonymous Coward]

You can enable this in Options/Preferences > Privacy & Security > Tracking Protection, fyi.

Re:

[Methuselah2]

Thanks, changed.

But ...

[Artem S. Tashkinov]

NoScript can speed up web pages loading even more! Too bad some websites have noticed the NoScripters and made their website unusable once your disable JS execution.

Re:But ...

[Aighearach]

Too bad some websites have noticed the NoScripters and made their website unusable once your disable JS execution.

I say to them, Thank you! I'm glad we agree that it is best if I use another site. Everybody wins!

Lets not fight about this adblock stuff. Not everybody agrees, and that is wonderful, it is a sign of Freedom. There is no need to be passive-aggressive and make the site appear to work at first, and then fail later when you get to the heart of the content. Detect what is detectable, and be honest and straightforwards; if you don't want me as a user, great! I can agree to that, no problem!

Re:

[theweatherelectric]

Speed is useless without extensions

Meh. There are 7,799 extensions available for Firefox 57+ at the moment. Doesn't seem like Firefox is "without extensions".

Now I use Waterfox and there is also Pale Moon

Why? They're just older, slower versions of Firefox which are unsustainable in the long term. They'll both eventually become like Firefox is now because they are both dependent on upstream development.

Ghostery and Privacy Badger

[baomike]

I notice that no one has mentioned these, why not?

Re:

[Dagger2]

It is, however, reasonable to permit extension devs to update their extensions to fix breakage. However, for many extensions, Mozilla are not permitting them to do that.

Endless backwards compatibility is indeed not possible for these extensions, but that was never expected anyway and it's not a reason to prevent devs from putting the work in if they want to.

Re:

[Dagger2]

Firefox won't even load bootstrapped extensions now unless signed by Mozilla's system addons key, which is unavailable to the public and which they won't use to sign any non-Mozilla addons (even though they were happy to use it to sign a marketing tie-in with a TV show, but that's a whole separate issue). They also won't allow you to upload the new version to AMO which prevents you from shipping updated versions to anybody that installed the extension from AMO in the first place (even if those users could u

Re:

[wonkey_monkey]

It is, however, reasonable to permit extension devs to update their extensions to fix breakage. However, for many extensions, Mozilla are not permitting them to do that.

How so?

Re:

[theweatherelectric]

Probably because Firefox 57 broke almost every single plug-in

Ghostery [mozilla.org] and Privacy Badger [mozilla.org] both work with Firefox 57+ and so do 7,799 other add-ons. Your narrative doesn't hold up.

Ghostery perfectly works in FF57.

[Herve5]

Ghostery, I don't know. But now I know you are not credible.

Re:Ghostery and Privacy Badger

[Misagon]

I saw "Google Analytics" listed as one of the sites that Firefox delays. I run Privacy Badger in Chromium, so I checked quickly what it blocks on this site and apparently, Slashdot uses Google Analytics but Privacy Badger does not block it.
I suppose that there could be lots of other sites that are let through but which Firefox prioritises down when loading.
This means that running Privacy Badger is not a replacement for the prioritisation scheme that Firefox is doing.

Re:

[AmiMoJo]

It blocks it for me. Are you sure you didn't click it over to green at some point?

Re:

[pots]

Privacy Badger blocks via heuristics, so the results are going to be a little inconsistent. I run it alongside Disconnect, for a blocklist-based privacy filter as well. Of course, neither one blocks Google Analytics, since NoScript filters it out before it gets to them...

The advantage with the heuristics approach is that it will catch new things, and things which otherwise don't get included into blocklists.

Re:Ghostery and Privacy Badger

[Sannemen]

Ghostery, probably because it keeps you private while, guess what?, selling your data... https://www.ghostery.com/faqs/... [ghostery.com]

Re:really? -lies

[Anonymous Coward]

I think you are being dishonest and/or your computer is broken.

Who is going to write the mod?

[Required Snark]

The one that doesn't even send the tracking data back, or even better sends random results?

It's not like any of us asked to be tracked, or get any benefit out of it. Our online existence has become a huge source of income while government and big business know far too much about our private lives. Maybe we should be taking the initiative to "opt out" of tracking in a way that will make a real difference.

Re:

[Anaerin]

Who needs a mod? FF has "First Party Isolation" (Not enabled by default, use the about:config setting "security.firstparty.isolate" to enable it), which doesn't set or send cookies for any third party items loaded on a page. They can load their tracking images and the like just fine, but there's no id attached to them, so every time is a "different user".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[theweatherelectric]

make NoScript and other real tracking protection not work anymore all in the name of "speed."

Firefox has tracking protection built-in [mozilla.org]. Set it to "always" and it will be on in both normal and private browsing modes. NoScript [mozilla.org] works in Firefox 57+ and the author of NoScript says [hackademix.net] Firefox has "the best Browser Extensions API available on any current browser".

Your claims don't match up to the practical realities. Just use Firefox and be happy.

There's an even simpler method

[quonset]

Block all such scripts using add-ons such as uMatrix.

It's truly amazing how fast pages load even on older systems when this technique is employed.

Not in the browser

[nospam007]

" It delays scripts from tracking domains, such as www.google-analytics.com."

You should block all these domains at the router level, so it makes all the browser faster also the ones on your mobile gadgets.

Re:

[willoughby]

I played around with this a couple of years ago and it didn't work for me. The browser would freeze while it awaited response from the blocked domain. What did I do wrong?

Re:

[bongey]

Did you have your filter respond with a tcp reject?

Re:

[flex941]

You probably did DROP instead of REJECT.

Re:

[claudio veron valussi]

i've been doing router level ad-blocking. hope i never have to go back.

Waiting for the escalation

[McFortner]

How long before cleaver web programmers have the page require the tracking be completed before it sends vital parts of the page to the browser?

The clock is ticking.... (pun intended)

Re:

[Anaerin]

That is what was happening - Loading the tracking code was delaying the initial paint of the site. FF changed it so that the tracking code was loaded "as needed" and not delaying the initial load and paint of the site.

Re:

[McFortner]

But next is REQUIRING the tracking data to be completely loaded and executed first. Can't let that ad revenue get away, don't you know.

Re: Waiting for the escalation

[Z00L00K]

Then link to a fake tracker that sets a value that's fake.

Really kill those third party user trackers

[Anaerin]

FireFox inherited a small security update from the Tor project called "First Party Isolation". It's in newer versions of FF, but isn't turned on by default as it can break some authentication systems.

What it does, is only allow cookies to be sent and received by the site in the page's URL. So, for instance, while visiting YouTube.com, images and the like from google.com can load, but have no cookies attached, and do not receive those cookies.

To enable it, go to about:config and find "privacy.firstparty.isolate". Set it to true and restart the browser, and enjoy surfing the web knowing that you're not being tracked from site to site.

Re:Really kill those third party user trackers

[Pieroxy]

Exactly what Apple has done with Safari, on both iOS and OSX. Except that Apple enabled the option by default.

Re:

[Dagger2]

As I understand it, that's not exactly what it does. Third-party sites are still allowed to use cookies, but they get access to a different set of cookies depending on which first-party site they were loaded from.

You can reject all cookies from third-party sites by setting network.cookie.cookieBehavior=1.

Heresy

[easyTree]

Prioritising the user over the advertiser? ^_^

Black Helicopters dispatched to your location. Await airlift.

Net Neutrality

[Waccoon]

Just to be devil's advocate, I don't like the idea of things like this being "hidden". Firefox does give you control over how it blocks trackers and which list of known trackers exist on the Internet. Hopefully those settings also allow you to control how (and if) trackers are throttled, as well.

Re:Net Neutrality - aka, no adblock

[hsthompson69]

Well, to be the devil's devil's advocate, isn't this an arguably *good* thing in support of non-net-neutrality? If ISPs could throttle tracking domains, or spam emailers, wouldn't that be an unadulterated good for the hundreds of millions of people who might not be running the latest firefox browser?

tl;dr - if consumers actually value different traffic differently, why should ISPs be prevented from prioritizing traffic they value, and throttling traffic they don't?

I get it, the ISP "value" might be differe

Re:

[JustNiz]

>> isn't this an arguably *good* thing in support of non-net-neutrality?

Not really. I never gave any of those companies permission to spy on me. That has nothing to do with how much bandwidth they get.

Re:

[account_deleted]

Comment removed based on user account deletion

There is no place like 127.0.0.1

[yooy]

There is no place like 127.0.0.1 http://winhelp2002.mvps.org/ho... [mvps.org] Host flash: https://journalxtra.com/linux/... [journalxtra.com]

If they can delay them...

[JustNiz]

..then why can't they provide the user with a simple switch to blacklist them entirely?

Re:

[theweatherelectric]

They do. Set Firefox's built-in tracking protection [mozilla.org] to "always" and it won't load them at all.