MDFP domains are marked as tracking in the snitch map #2351
Comments
|
I have a fix in progress as part of #2198 (I think ... that part may not be pushed to GH yet). It didn't seem worth fixing by itself. |
|
Do we need a migration? As in, what does having MDFP'd domains in snitch map break? |
|
The main reason I want to fix it is for issues like #2334 (comment). Right now MDFP domains have "false strikes" against them; if wikimedia.org is ever used in a third-party context on a domain outside its MDFP list, I think it will be blocked, even if it's never been seen tracking outside of the Wikimedia ecosystem. It also makes it harder to debug issues around MDFP domains when their snitch maps are full of other supposedly first-party domains. |
|
The migration would go something like, for every site domain in snitch map (which passed the less-strict third-partyness check in heuristicblocking.js), see if the site domain is in fact third-party to the tracker domain (the correct third-partyness check in webrequest.js). If it's not, oops, it's a mistake, we should remove it. If this brings snitch map for the tracking domain below |
I was investigating #2334, and realized one of my assumptions is wrong. When a third-party domain sets high-entropy cookies, Privacy Badger doesn't check to see whether the domain is on the MDFP list before updating the snitch map. As a result, even though Wikimedia domains are on the list, the seed dataset still has a full
snitch_mapentry for wikimedia.org. See https://github.com/EFForg/privacybadger/blob/master/src/data/seed.json#L10633.This is because
heuristicBlockingAccountingdoesn't contain any MDFP checks. I think this is a bug because every other place_recordPrevalenceis called does -- Privacy Badger won't record MDFP domains as trackers when they do fingerprinting or set localstorage cookies.The fix should be pretty easy, but it will also require a migration (as talked about here.)
The text was updated successfully, but these errors were encountered: