Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Firefox Mozilla

Firefox 57's Speed Secret? Delaying Requests from Tracking Domains (zdnet.com) 119

An anonymous reader quotes ZDNet: A Mozilla engineer has revealed one of the hidden techniques that Firefox 57 -- known as Quantum -- is using to improve page load times... It delays scripts from tracking domains, such as www.google-analytics.com. The technique was developed by Mozilla engineer Honza Bambas, who calls it "tailing". It works by delaying scripts from tracking domains when a page is actively loading and rendering...

Tailing only briefly prevents the tracking scripts loading, rather than disabling them entirely. Page load performance is improved by saving on network bandwidth and computing resources while loading a page, in a way that prioritizes site requests over tracking requests. "Requests are kept on hold only while there are site sub-resources still loading and only up to about 6 seconds. The delay is engaged only for scripts added dynamically or as async. Tracking images are always delayed. This is legal according all HTML specifications and it's assumed that well built sites will not be affected regarding functionality," explains Bambas.

This discussion has been archived. No new comments can be posted.

Firefox 57's Speed Secret? Delaying Requests from Tracking Domains

Comments Filter:
  • by Z00L00K ( 682162 ) on Saturday December 23, 2017 @02:58PM (#55797053) Homepage Journal

    Everyone that already runs adblocking won't notice this anyway.

    • I'm not sure about that. Default adblocking filters do not block trackers.
      • by PPH ( 736903 )

        So what's the difference between an advertising site and a tracking site? And what's to stop an advertiser/tracker from throwing some more obfuscation into their system?

        • Comment removed (Score:5, Informative)

          by account_deleted ( 4530225 ) on Saturday December 23, 2017 @04:24PM (#55797431)
          Comment removed based on user account deletion
          • by PPH ( 736903 )

            Does this help?

            Not really. Because from my computer's point of view, both sites do much of the same thing. They set and read cookies, upload images to my cache (so visits to other sites using the same image can deduce whether I've visited before), set values in HTML5 local storage and all sorts of similar things. So if someone can come up with a characteristic specific to tracking, I can block only those pages and allow the ads that support my favorite web sites. Instead of having to block everything.

            • He just gave you the characteristics particular to tracking. I don't think the mechanisms used to implement it differ much on the client side compared to plain, non-tracking ads. Your computer isn't going to know what the server does with the information it sends back. Or the intentions of the people controlling that server, or whoever they might sell the data to. There are, however, people dedicated to determining that. They maintain block lists broken down by category. The uBlock Origin plugin for Firefox
            • So if someone can come up with a characteristic specific to tracking, I can block only those pages and allow the ads that support my favorite web sites.

              A site with ads but no tracking will have its own store front where advertisers can buy ad space. This process doesn't need to place third-party cookies or images on viewers' devices. Therefore, to block tracking, block the loading of resources from unaffiliated domains. Use the Public Suffix List [publicsuffix.org] to find which hostnames are part of the same domain, and add cookieless domains used for static resources [ravelrumba.com] to a whitelist if they're obviously operated by the same publisher. Yes, this breaks CDNs used to deliver w

        • So what's the difference between an advertising site and a tracking site?

          A publisher* that doesn't track your browsing across multiple websites will sell its ad space directly to advertisers and host its own ads rather than handing the ad space off to a third party ad network or ad exchange. Daring Fireball [daringfireball.net] and Read the Docs [readthedocs.io] are examples.

          * A "publisher" is a site that shows ads, and an "advertiser" is a company that pays a publisher for ad space.

      • by arth1 ( 260657 )

        I'm not sure about that. Default adblocking filters do not block trackers.

        Who relies on default filters? Surely, people take a look every now and then to identify more items to block?

        There's also EFF's privacy badger. Too bad it only works in a couple of browsers, and that it turns on the "do not track" (which doesn't stop tracking; it just gives an additional piece of data for more accurate fingerprinting).

        • by AmiMoJo ( 196126 )

          Most users rely on block lists. They don't have the ability to write good filters, and simple ones are bypassed by advertisers using easy tricks like having a semi random URL.

          For many users they are 99% effective with zero effort.

          • by arth1 ( 260657 )

            I see the value of blocklists as a starting point. But the AdBlock family of blockers all make it relatively easy to make your own additions based on the page you're looking at, as well as disabling rules that are irrelevant to you, never causing hits, and just burning cycles.
            To me it seems like buying a guitar and never tuning it, relying on a store to do it for you every now and then. There are surely people who do that too, but I'd think the majority would prefer to do things themselves and get it righ

      • Re: (Score:2, Informative)

        by Anonymous Coward

        don't run the default... duh.

        abp only enables easylist by default.

        https://adblockplus.org/subscr... [adblockplus.org]

        you should run easylist+easyprivacy, any easylist specific to your country, fanboy annoyances, then whatever extras near the bottom of that list you want (nocoin, malware domains, spam404, etc).

      • Noscript will.

      • Comment removed based on user account deletion
      • Use privacy badger: https://www.eff.org/privacybad... [eff.org]
    • You still need noscript on top of adblock+. I didn't believe that until I tried noscript myself. There's a ton of junk that adblock misses. On slashdot.org, adblock+ misses scripts from slashdotmedia.com, stacksocial.com, taboola.com, trustarc.com, ml314.com, rpxnow.com, crsspxl.com, stack-sonar.com, licdn.com, cloudfront.net, truste.com, janrain.com, pro-market.net, fsdn.com. That's the list of domains this slashdot page is loading scripts from, not counting whatever was blocked by adblock+.
      • by nyet ( 19118 )

        The number of js sources /. refers to is ridiculous. This site used to be run by more or less decent people. Now it really is run by scumbags.

    • by cdxta ( 1170917 )

      I think another Speed Secret was by disabling our plug-ins. I remember reading an article a while ago about how ad-blocking in itself is one reason Firefox is slow and uses a lot of memory. Without everything having to be passed though an a 4MB pattern.ini file and nearly 1 MB elemhide.css file, of course it may be faster... A year or so ago I went though the ad-blocking list for Firefox on my PC and removed all rules with less than 5 hits which significantly cut down the list.

  • by Anonymous Coward
    The reporter is clueless about how browsers work. Rendering speed is not the same as loading time. As Mozilla said, the delay was added to improve paint performance, as trackers blocked the actual paint rendering. The page still loads with the same time, only the order of the scripts has been changed to show content faster and give a false illusion of speed.
  • by Anonymous Coward

    JS throwing requests all over the place got us into this mess in the first place.

    • by Aighearach ( 97333 ) on Saturday December 23, 2017 @03:15PM (#55797139)

      That's why I use both noscript and also uMatrix!

      Unless I, the user, have a reason for wanting javascript I won't turn it on . And even if I do, I don't want your cross-site scripting! uMatrix prevents that. And if something really needs a third party script, I can turn on just the specific third parties that are related. For example, I might allow a few google domains if I'm intentionally loading a map, but if I'm not using the map I'm not going to turn those on. And even if I am, I certainly don't want the analytics.

      It seems to be getting better, actually; 5 years ago almost every site had third party JS for important functions, now more and more sites are hosting their own scripts for core functionality.

      • by ls671 ( 1122017 )

        That's why I use both noscript and also uMatrix!

        Why would you use both?
        You can configure uMatrix to block everything by default just like noscript does. It is only a simple rule to edit.

  • by Noishkel ( 3464121 ) on Saturday December 23, 2017 @03:03PM (#55797079)
    And why shouldn't we? No one wanted to be tracked. And even more corporatist a-holes like Google have persistently gone out of their way to obscure the end users ability to even know how the system works. Screw them. It's our hardware, and it's our data. If you have a problem with this then Google should release a version of their OS that you can pay and doesn't track us and avoid the situation entirely.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      You can enable this in Options/Preferences > Privacy & Security > Tracking Protection, fyi.

  • NoScript can speed up web pages loading even more! Too bad some websites have noticed the NoScripters and made their website unusable once your disable JS execution.
    • Re:But ... (Score:5, Informative)

      by Aighearach ( 97333 ) on Saturday December 23, 2017 @03:19PM (#55797151)

      Too bad some websites have noticed the NoScripters and made their website unusable once your disable JS execution.

      I say to them, Thank you! I'm glad we agree that it is best if I use another site. Everybody wins!

      Lets not fight about this adblock stuff. Not everybody agrees, and that is wonderful, it is a sign of Freedom. There is no need to be passive-aggressive and make the site appear to work at first, and then fail later when you get to the heart of the content. Detect what is detectable, and be honest and straightforwards; if you don't want me as a user, great! I can agree to that, no problem!

  • by baomike ( 143457 ) on Saturday December 23, 2017 @03:27PM (#55797179)

    I notice that no one has mentioned these, why not?

    • by Misagon ( 1135 ) on Saturday December 23, 2017 @03:45PM (#55797257)

      I saw "Google Analytics" listed as one of the sites that Firefox delays. I run Privacy Badger in Chromium, so I checked quickly what it blocks on this site and apparently, Slashdot uses Google Analytics but Privacy Badger does not block it.
      I suppose that there could be lots of other sites that are let through but which Firefox prioritises down when loading.
      This means that running Privacy Badger is not a replacement for the prioritisation scheme that Firefox is doing.

      • by AmiMoJo ( 196126 )

        It blocks it for me. Are you sure you didn't click it over to green at some point?

      • by pots ( 5047349 )
        Privacy Badger blocks via heuristics, so the results are going to be a little inconsistent. I run it alongside Disconnect, for a blocklist-based privacy filter as well. Of course, neither one blocks Google Analytics, since NoScript filters it out before it gets to them...

        The advantage with the heuristics approach is that it will catch new things, and things which otherwise don't get included into blocklists.
    • by Sannemen ( 5204813 ) on Sunday December 24, 2017 @07:15AM (#55799751)
      Ghostery, probably because it keeps you private while, guess what?, selling your data... https://www.ghostery.com/faqs/... [ghostery.com]
  • by Required Snark ( 1702878 ) on Saturday December 23, 2017 @03:30PM (#55797197)
    The one that doesn't even send the tracking data back, or even better sends random results?

    It's not like any of us asked to be tracked, or get any benefit out of it. Our online existence has become a huge source of income while government and big business know far too much about our private lives. Maybe we should be taking the initiative to "opt out" of tracking in a way that will make a real difference.

    • by Anaerin ( 905998 )
      Who needs a mod? FF has "First Party Isolation" (Not enabled by default, use the about:config setting "security.firstparty.isolate" to enable it), which doesn't set or send cookies for any third party items loaded on a page. They can load their tracking images and the like just fine, but there's no id attached to them, so every time is a "different user".
  • by quonset ( 4839537 ) on Saturday December 23, 2017 @03:35PM (#55797217)

    Block all such scripts using add-ons such as uMatrix.

    It's truly amazing how fast pages load even on older systems when this technique is employed.

  • " It delays scripts from tracking domains, such as www.google-analytics.com."

    You should block all these domains at the router level, so it makes all the browser faster also the ones on your mobile gadgets.

  • by McFortner ( 881162 ) on Saturday December 23, 2017 @04:27PM (#55797445)
    How long before cleaver web programmers have the page require the tracking be completed before it sends vital parts of the page to the browser?

    The clock is ticking.... (pun intended)
    • by Anaerin ( 905998 )
      That is what was happening - Loading the tracking code was delaying the initial paint of the site. FF changed it so that the tracking code was loaded "as needed" and not delaying the initial load and paint of the site.
      • But next is REQUIRING the tracking data to be completely loaded and executed first. Can't let that ad revenue get away, don't you know.
    • Then link to a fake tracker that sets a value that's fake.

  • by Anaerin ( 905998 ) on Saturday December 23, 2017 @05:12PM (#55797651)

    FireFox inherited a small security update from the Tor project called "First Party Isolation". It's in newer versions of FF, but isn't turned on by default as it can break some authentication systems.

    What it does, is only allow cookies to be sent and received by the site in the page's URL. So, for instance, while visiting YouTube.com, images and the like from google.com can load, but have no cookies attached, and do not receive those cookies.

    To enable it, go to about:config and find "privacy.firstparty.isolate". Set it to true and restart the browser, and enjoy surfing the web knowing that you're not being tracked from site to site.

  • Prioritising the user over the advertiser? ^_^

    Black Helicopters dispatched to your location. Await airlift.

  • Just to be devil's advocate, I don't like the idea of things like this being "hidden". Firefox does give you control over how it blocks trackers and which list of known trackers exist on the Internet. Hopefully those settings also allow you to control how (and if) trackers are throttled, as well.

    • Well, to be the devil's devil's advocate, isn't this an arguably *good* thing in support of non-net-neutrality? If ISPs could throttle tracking domains, or spam emailers, wouldn't that be an unadulterated good for the hundreds of millions of people who might not be running the latest firefox browser?

      tl;dr - if consumers actually value different traffic differently, why should ISPs be prevented from prioritizing traffic they value, and throttling traffic they don't?

      I get it, the ISP "value" might be differe

      • by JustNiz ( 692889 )

        >> isn't this an arguably *good* thing in support of non-net-neutrality?

        Not really. I never gave any of those companies permission to spy on me. That has nothing to do with how much bandwidth they get.

  • There is no place like 127.0.0.1 http://winhelp2002.mvps.org/ho... [mvps.org] Host flash: https://journalxtra.com/linux/... [journalxtra.com]
  • ..then why can't they provide the user with a simple switch to blacklist them entirely?

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...