Update Firefox 93 features an improved SmartBlock and new Referrer Tracking Protections

oldschool

Level 63
Verified
Mar 29, 2018
5,236
38,213
https://blog.mozilla.org/security/2...tblock-and-new-referrer-tracking-protections/
We are happy to announce that the Firefox 93 release brings two exciting privacy improvements for users of Strict Tracking Protection and Private Browsing. With a more comprehensive SmartBlock 3.0, we combine a great browsing experience with strong tracker blocking. In addition, our new and enhanced referrer tracking protection prevents sites from colluding to share sensitive user data via HTTP referrers.

SmartBlock 3.0

In Private Browsing and Strict Tracking Protection, Firefox goes to great lengths to protect your web browsing activity from trackers. As part of this, the built-in content blocking will automatically block third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. This type of aggressive blocking could sometimes bring small inconveniences, such as missing images or bad performance. In some rare cases, it could even result in a feature malfunction or an empty page.

To compensate, we developed SmartBlock, a mechanism that will intelligently load local, privacy-preserving alternatives to the blocked resources that behave just enough like the original ones to make sure that the website works properly. The third iteration of SmartBlock brings vastly improved support for replacing the popular Google Analytics scripts and added support for popular services such as Optimizely, Criteo, Amazon TAM and various Google advertising scripts. As usual, these replacements are bundled with Firefox and can not track you in any way.

HTTP Referrer Protections

The HTTP Referer [sic] header is a browser signal that reveals to a website which location “referred” the user to that website’s server. It is included in navigations and sub-resource requests a browser makes and is frequently used by websites for analytics, logging, and cache optimization. When sent as part of a top-level navigation, it allows a website to learn which other website the user was visiting before. This is where things get problematic. If the browser sends the full URL of the previous site, then it may reveal sensitive user data included in the URL. Some sites may want to avoid being mentioned in a referrer header at all.

The Referrer Policy was introduced to address this issue: it allows websites to control the value of the referrer header so that a stronger privacy setting can be established for users. In Firefox 87, we went one step further and decided to set the new default referrer policy to strict-origin-when-cross-origin which will automatically trim the most sensitive parts of the referrer URL when it is shared with another website. As such, it prevents sites from unknowingly leaking private information to trackers.

However, websites can still override the introduced default trimming of the referrer, and hence effectively deactivate this protection and send the full URL anyway. This would invite websites to collude with trackers by choosing a more permissive referrer policy and as such remains a major privacy issue. With the release of version 93, Firefox will ignore less restrictive referrer policies for cross-site requests, such as ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’, and ‘unsafe-url’ and hence renders such privacy violations ineffective. In other words, Firefox will always trim the HTTP referrer for cross-site requests, regardless of the website’s settings. For same-site requests, websites can of course still send the full referrer URL.

Enabling these new Privacy Protections

As a Firefox user who is using Strict Tracking Protection and Private Browsing, you can benefit from the additionally provided privacy protection mechanism as soon as your Firefox auto-updates to Firefox 93. If you aren’t a Firefox user yet, you can download the latest version here to start benefiting from all the ways that Firefox works to protect you when browsing the internet.
 

Kees1958

Level 4
Verified
Sep 5, 2021
159
867
I think Firefox is the most privacy oriented of the well known browsers. I like Edge on Windows much, because it has some security benefits over Google and a lot over Firefox, but I will give Firefox on Android a go on my smart phone. Thanks for sharing (y)
 

gonzalo

Level 2
May 20, 2014
93
196
I think Firefox is the most privacy oriented of the well known browsers. I like Edge on Windows much, because it has some security benefits over Google and a lot over Firefox, but I will give Firefox on Android a go on my smart phone. Thanks for sharing (y)
Can you please elaborate more about those "security benefits" in Ms Edge?
 

oldschool

Level 63
Verified
Mar 29, 2018
5,236
38,213
SmartBlock v3 stores and serves scripts in place of the original ones. I'm not techie so I can miserably mistaken, but sound somewhat similar to LocalCDN and Decentraleyes to me.
This is probably what you're referring to:
To compensate, we developed SmartBlock, a mechanism that will intelligently load local, privacy-preserving alternatives to the blocked resources that behave just enough like the original ones to make sure that the website works properly. The third iteration of SmartBlock brings vastly improved support for replacing the popular Google Analytics scripts and added support for popular services such as Optimizely, Criteo, Amazon TAM and various Google advertising scripts. As usual, these replacements are bundled with Firefox and can not track you in any way.
Yes, it does sound similar but my hunch is that it is qualitatively different, though I'm not certain. Probably someone with a better understanding than mine can provide an answer.
 
Last edited:

Kees1958

Level 4
Verified
Sep 5, 2021
159
867
Can you please elaborate more about those "security benefits" in Ms Edge?
Somethings security features which Google has not got:
1. De-elevation on launch (from admin to standard user) of the Edge broker process.
2. Renderer process has Code Integrity Guard enabled (meaning only Microsoft signed code can be executed/injected).

On top of that there are two optional features:
3. You can prevent dll-injection in all Edge processes by enabling the Code Integrity Guard in Microsoft Defender Exploit Protection.
4. You can disable Just In Time compiler for Javascript with the egde flag "Superduper security" (the freedom of JIT needed for speed is often misused by malware, but nowadays javascript is nearly as fast as C++).

The fifth advantage is arbitrary Smartscreen scores a little better than Google's safe browsing in comparative tests and tests posted by by fellow MT-members.
 
Last edited:

SpiderWeb

Level 7
Aug 21, 2020
300
2,068
All the features they promote only work in Strict Mode which breaks 50% of the Internet because every site is cross posting now (embedded tweets, IG, YouTube). I'm not impressed. What would have been impressive is if they found out how to implement this without breaking browsing.
 

SecureKongo

Level 23
Verified
Feb 25, 2017
1,235
8,566
All the features they promote only work in Strict Mode which breaks 50% of the Internet because every site is cross posting now (embedded tweets, IG, YouTube). I'm not impressed. What would have been impressive is if they found out how to implement this without breaking browsing.
I am using Strict blocking for months now and except on a few websites I barely face any problems. Lets hope that they imrove SmartBlock further to prevent more website breakage.
 
Last edited:

koloveli

Level 4
Sep 13, 2012
165
393
Firefox is more secure, vivaldi if configure:
can help the identify sites fakes...
 

SpiderWeb

Level 7
Aug 21, 2020
300
2,068
Ca
My experience is similar so far.
Can you guys see embedded tweets and posts? I really want to use Strict mode but I'm annoyed by the all or nothing approach. It would be perfect if I could simply white list Twitter, YouTube and Instagram embeds but they don't allow you to whitelist trackers, just the entire domain. And some sites have nasty trackers so I refuse and just use Standard protection instead. I'm also having trouble with third party logins in Strict mode.
 

oldschool

Level 63
Verified
Mar 29, 2018
5,236
38,213
n you guys see embedded tweets and posts?
I haven't noticed since I don't use or look for them.
I'm also having trouble with third party logins in Strict mode.
Honestly haven't logged into many sites so I can't say. I tend to use Edge for those. You might really like LibreWolf as it disables and locks tracking protection. Noticeably faster than FF. I've been using it today to test phishing links.
 

Kees1958

Level 4
Verified
Sep 5, 2021
159
867
All the features they promote only work in Strict Mode which breaks 50% of the Internet because every site is cross posting now (embedded tweets, IG, YouTube). I'm not impressed. What would have been impressive is if they found out how to implement this without breaking browsing.
What do you mean with all the features?
 
Last edited:

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,983
9,913
Can you guys see embedded tweets and posts?
For me its been opposite after they implemented smartblock, i often run on edge so called max privacy setup into problems where i have to whitelist stuff (even cookies), but with firefox strict ( smartblock) I have never faced any problems. I do see twitter tweets and posts... but im not using any social media so i obviously have less to see (restrictions) than i would have when signed in to those sites
 

oldschool

Level 63
Verified
Mar 29, 2018
5,236
38,213
Top