Firefox 59 Will Stop Websites Snooping on Where You've Just Been (zdnet.com) 121
Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.
Finally (Score:1)
This privacy issue has been known for as long as browsers have been around. Nevertheless, this is good news.
Re: (Score:3, Insightful)
Every time I look at a post like this, I wonder when Slashdot will get with the times and support unicode?
Re: (Score:2)
Probably once you and the rest of the user base have flocked to SoylentNews, which forked the Slash software and added proper Unicode support.
Re: (Score:2, Interesting)
I'm glad they haven't. There's very little real use for it, and those messed-up comments give useful information for judging clueless commenters.
Re: (Score:2)
Probably when it becomes a standard. I mean, any legitimate tech site would wait until that point, and then roll the change into their development cycle for the next release.
Re: (Score:2)
Commenting here just to undo a misclicked moderation to your comment (i HATE those instant combo-boxes). (Nothing to see here people, move along.)
Re: (Score:2)
Well slashdot does announce "Content-Type:text/html; charset=utf-8" in its response header, so can't blame the browser here.
Re: (Score:2)
There are a few issues here:
- user doesn’t have much control over the behaviour of their OS or browser in many cases
- it looks fine in Slashdot’s preview view, but then gets corrupted on submission
Firefox's other privacy problems need to be fixed. (Score:2, Interesting)
Unlike many people, I've actually read Firefox's privacy policy [mozilla.org].
It turns out that Firefox's privacy policy is quite disturbing, especially when considering how often we're told that Firefox supposedly "cares" about our privacy.
The Firefox privacy policy dated September 28, 2017 makes it clear that Firefox user data can be collected by Firefox and can be sent to various third parties, including Google, some "Adjust" company, some "Leanplum" company, and SalesForce.
For example, there are very worrying section
Keep them from removing your pet CSS or JS feature (Score:1)
Without telemetry, how do you expect a browser developer to assess use coverage of the browser's code? Without coverage, browser developers have no way to know which bugs to prioritize fixing and no way to know which web standards are used in websites. Without information about feature use, browser developers might assume CSS and JavaScript features used in your site are "not widely adopted on the web" and begin the process of removing them from the web standards.
Features used only while logged in (Score:2)
Browser vendors can comb the top 10000 websites of the world easily enough and see what features are being used the most.
That won't work for features used more often in the long tail below the top 10000 or behind the login page of the top 10000. This might be the case, for example, for the Encrypted Media Extensions used to enforce audio and video rental terms.
Re: (Score:2)
most people probably do not use any of the 10000 top sites, as that is just a small fraction of all the sites in the internet. Also, how to determine the 10000 top sites? check what IE reports? then it would probably not map what firefox users see, but what IE users see. That info does not show up by magic.
example: how many people use webm ? is it ok to support that, or is just trash being bundled in the browser? do they use the alternatives to it? or do not use anything? Is feature XYZ slowing down sites?
Re: (Score:2)
When many, many, many Firefox users keep on reporting again and again and again that Firefox suffers from severe performance and memory usage problems, do you know what the Firefox developers should do? Focus on the performance and memory usage problems that the users are talking about!
When many, many, many Firefox users keep on saying that they don't want their XUL extensions to break, do you know what the Firefox developers should do? Focus on not breaking browser functionality that Firefox users deem to be essential!
What if the memory usage problems are from having XUL extensions?
RAM not used by one process != free RAM (Score:2)
You do realise that free ram is wasted ram.
Provided it's actually free RAM, as opposed to RAM that belongs to another process that would end up swapped out to disk if Firefox were to allocate and use it.
Re: (Score:2)
1) They need to listen to what their users are voluntarily saying.
"After a Firefox update, this site doesn't let me use it after I've logged in."
2) If they don't understand what their users are saying, then they can ask the users some questions to clarify the situation.
"We aren't members of that site. What error messages is it showing in the Error Console?"
Except I don't see how non-technical end users are likely to be able to answer that usefully.
Re: (Score:2)
Which provider other than Google would you recommend that Firefox instead use when the user chooses to query the safety reputation of a particular website or downloaded file? Or how do you find why do you find offering the choice to query the safety reputation of a particular website or downloaded file inherently harmful?
Which provider other than Google would you recommend that Firefox instead use when the user chooses to reveal the user's location to a site? Or why do you find offering the choice to reveal
Re: (Score:2)
How about letting the users be responsible for the sites they visit? Why should the browser be doing your due diligence for you?
Re: (Score:2)
Why should the browser be doing your due diligence for you [with respect to websites that distribute malware]?
Because non-technical users, who outnumber technical users, have seen that as a desirable feature in a web browser.
Re: (Score:3)
The fact that mozilla tried to really list all the data that it takes and where to send it is good and your post looks like scary, but all of those items have a reasons:
> Google’s SafeBrowsing service
duh! if you want to know if the site/file is in a blacklist, you do need to sent it to some place to be checked. It can be disabled, but of course most people want this enabled
>Location data to Google's geolocation service
duh again, if you see a pop-up from firefox asking that the site wants to see
Re: Firefox's other privacy problems need to be fi (Score:2)
Thanks. You got some good knowledge.
But you missed one of the most important phrases in their privacy policy:
" {...} which has its own privacy policy.
" {...} which has its own privacy policy.
" {...} which has its own privacy policy.
(Give or take a policy )
Now, to complete interpretation of this policy, these others must be interpreted too.
Re: (Score:2)
true, but most of the info is mostly useless by itself, firefox only sends some selected info, when it wants and without other extra info (cookies and likes)... this is very far from tracking all requests, all with tracking cookies.
The 2 most problematic info is the email and the url in safebrowsing. The email, there is nothing to do, that is the way email work, every server that the mail uses can see your email and use it to do spam, even if illegal in many places.
The url in safebrowsing, may be used to tr
Change doesn't stop snooping of where you've been (Score:5, Informative)
To prevent this type of data leakage, from Firefox 59, the private browsing option will remove path information from referrer values sent to third parties, effectively stripping out additional data and only leaving the web domain.
Re:Change doesn't stop snooping of where you've be (Score:5, Interesting)
Meh, in private browsing mode they really should kill the referrer from any top level page. If it's an <img>, <iframe> or <video> tag it's cool... but if I go from foo.com to bar.com via an <a href> it shouldn't secretly tell bar.com I came from foo.com. Transparency in what information you're exposing is essential to security and most people aren't aware it's happening.
Re: (Score:2)
To prevent this type of data leakage, from Firefox 59, the private browsing option will remove path information from referrer values sent to third parties, effectively stripping out additional data and only leaving the web domain.
Hopefully this is just the first step toward a proper solution. Step 2 is to apply the same policy for intra-site links, to prevent sites from filtering on the exact page address. Step 3 is to always send the requested resource's domain, regardless of the source.
Ruining my fun.. (Score:4, Funny)
Re:Ruining my fun.. (Score:5, Informative)
Unless Pornhub links to the Christian Coalition, the referrer field will be blank. The "referer" field only gets set when you click on a link. Just typing in the new address on the address bar doesn't do it.
Re: (Score:3)
So you just drop a link to christian coalition in a pronhub comment and click it from there, problem solved =)
Re: (Score:2)
Re: (Score:2)
Yeah... not really a problem on any site that allows user comments with links though. In fact this traffic would be more confusing, like okay I'm seeing a lot of traffic from reddit but what sub-board has linked me now or what celeb linked me on Facebook or what video is going viral on YouTube. Then again you'll probably see a substantial amount of any traffic in non-private mode, so not really a big deal I guess.
Re: (Score:2, Informative)
I have 184 tabs open at the moment and my Firefox processes are using a total of ~900MB of RAM, what are you doing to get it to 15GB?!?
Re: (Score:1)
1.5, not 15, and that was before, now it is usually twice that. Currently there are 6 Firefox processes running, using 695, 380, 354, 335, 305, and 201 MB respectively (so ONLY ~2.3GB now), after restarting about an hour ago. I have 4 windows open with probably 70 tabs spread across them, which I admit is a lot, but this is what I have always done. The vast majority of those tabs are not even loaded, because I haven't looked at them since the last time I had to kill the processes to get it working again.
Re: (Score:1)
Forgot to mention, FF 58.0.1 (64 Bit)
Re: (Score:2)
Thought experiment: restart your browser with extensions disabled and compare usage.
I am using ublock origin after reading somewhere that adblock plus was a performance hog.
Re: (Score:1)
Just tried this, with no active extensions I currently have 7 instances, 675, 510, 248, 245, 88, 36, 20 MB, so ~1.8 GB of RAM, I had closed a few tabs since last time, it also hasn't been running as long as it was when I added things up earlier. Still much worse than it was before the big update a few months ago,
Re: (Score:2)
I'd try creating a fresh profile then, launch firefox.exe -P and create a new profile, see if that doesn't help.
Re: (Score:2)
Sorry, read that as 5 processes at 3GB each. Still that's a LOT. Try switching to ublock origins and privacy badger, both ABP and Ghostery are run by ad networks now and have ad whitelisting, ublock and privacy badger are both open source and maintained by trustworthy groups. You can also try the 32bit version, not a lot of need for 64bit IME (though I guess ASLR would make 64bit more secure so perhaps worth the bloat).
If you're thrashing swap, say so (Score:2)
To counter "unused RAM is wasted RAM", make your complaints explicitly about the user-observable symptom: "Firefox causes my computer to thrash swap when I do X, Y, and Z." If you have made a report that explicitly mentioned page file usage, what was the reply?
Re: (Score:2)
Processes listed by name showing all FF processes, tabcount addon showing tab count, not sure what more you want...
https://photos.app.goo.gl/MWnO... [app.goo.gl]
https://photos.app.goo.gl/XjFr... [app.goo.gl]
Re: (Score:2)
Nope, Fark, slashdot, ARS Technica, rv.net, management pages for the Netscalers around the world, normal pages. I did reboot last night so a lot of those pages are dormant but I've been working for 5 hours so there's been plenty of activity.
"so called"? (Score:2)
When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value."
This is how the web has always worked and it's a public specification. There's nothing so called or nefarious here.
Re: (Score:1)
Give the middle finger to google (Score:1)
Google itself removes the referer (an url with a query) when I use open source statistics software like Piwik, for "privacy reasons", except they do show what people searched for on their own analytics services, so in reality it was just to give the middle finger to competition, using the near monopoly of the search engine. So I'd like Firefox to return the favor and not hand the complete referer to any 3rd parties loaded on websites. Just do this in the header to Google:
Referer: -_-*,,|,
Using Matomo/Piwik? Try Search Console and HTTPS (Score:2)
Glad to see someone else using Matomo (formerly Piwik) instead of third-party analytics.
Seeing as you've shown interest in helping viewers find documents on your site, have you tried signing up for the major web search engines' webmaster tools, such as Google Search Console? I was under the impression that these tools offered search queries even without having to install a search engine's analytics script on your site. (Source: "What is Search Console?" [google.com]; "Help Center - Bing Webmaster Tools" [bing.com])
Another tip: Doe
What took them so long? (Score:2)
Re: (Score:2)
Re: (Score:2)
When? (Score:2)
TFS, TFA don't say.
New Tab ? (Score:1)
Third party cookies (Score:2)
What they really need to disable is third party cookies. Period.
This stops a lot of the tracking. No more advertisements on another site for something you have just searched for on google.
It breaks a few web sites that rely on them, unfortunately. Mostly discussions forums. It does break my credit union's billpay and a host provisioning site at my work, too. IMO, sites that rely on third party cookies are poorly designed.
Will it stop writing datareporting logs? (Score:2)
So any news on that?!!
I have send referer disabled... (Score:2)
... However, a few web sites require it to work correctly. :(
Re:Don't break the referrer (Score:5, Informative)
If you RTFA (I know, I know; I must be new around here), you'll see this is only for Private Mode, and leaves the domain portion intact. You can still see if they loaded from your domain.
Referrer Header (Score:2)
Re:Referrer Header (Score:5, Informative)
You beat me to the reply. According to the horse itself, [mozilla.org] this is in fact precisely what they are doing:
Starting with Firefox 59, Private Browsing will remove path information from referrer values sent to third parties (i.e. technically, setting a Referrer Policy of strict-origin-when-cross-origin).
I agree that it should be the default, and (I discovered today), you can set it be in Firefox's about:config [about] by setting network.http.referer.userControlPolicy [mozilla.org] to 2.
Re: (Score:1)
Re: (Score:2)
Not only that, if Slashdot had linked the original Firefox blog post [mozilla.org] instead of the insipid rehash from ZDNet with an auto-playing video, the GP would have seen that they are actually setting the Referrer-Policy [mozilla.org] to "strict-origin-when-cross-origin" which doesn't affect same-domain referrals unless they downgrade from HTTPS to HTTP.
Quite frankly, this should be the default already. I have it set that way on all my sites, and today I learned that you can set it client-side on Firefox. [mozilla.org]
Re: (Score:2)
Re: (Score:1)
Why wouldn't this be the default?
Same site allow referrer. Anything else completely block it.
Re: (Score:2)
You'll break sites that only show you the full content when coming from Google but throw up an interterrestrial when direct linking if you do that, setting referrer to be only domain if doing cross-site is probably the best option.
Re: (Score:2)
...You'll break sites that only show you the full content when coming from Google but throw up an interterrestrial when direct linking if you do that...
Which is why I use the Toggle-Proxy add-in (one of the extensions that stopped working in Firefox and one of the reasons why I moved to Waterfox). If I see the very infrequent site that offers the interstitial as you say, I just turn off the proxy and go direct. But it is my choice when I want to do that.
Pangalactic! (Score:3)
Re: (Score:2)
Re: (Score:1)
if youre checkin http_referrer for valid requests, youre doing it wrong anyway. referrer can be faked easily therefore absolutely not reliable.
Re: (Score:2)
Then what image should a document on one site use to represent the document on another site to which it is linking?
Don't break og:image thumbnails either (Score:2)
If you deny hotlinking, and a user of another website supporting Open Graph protocol links to a document on your site, then the link will look unusually plain because the site won't be able to display the thumbnail declared in og:image [ogp.me]. What mechanism have you put in place to allow hotlinking only in the context of thumbnails intended to attract visits to documents on your site, such as og:image, and deny it otherwise? Or do you just opt out of offering thumbnails for other authors to use when citing your
Re: (Score:2)
What mechanism have you put in place to allow hotlinking only in the context of thumbnails intended to attract visits to documents on your site, such as og:image, and deny it otherwise?
Um... I don't use Open Graph Protocol whatever that is, and if somebody wants to show a link to my site with a thumbnail, then they're going to have to generate that on their server and serve the image to their users.
Rehosting vs. hotlinking (Score:2)
if somebody wants to show a link to my site with a thumbnail, then they're going to have to generate that on their server and serve the image to their users.
That's rehosting, which some authors find even worse than hotlinking because they don't receive the insight about their audience that comes from a list of sites in which the preview image is embedded.
Re: (Score:2)
Re: (Score:2)
Let me know when key binding support for new-style addons [mozilla.org] is fixed.