Firefox 93 features an improved SmartBlock and new Referrer Tracking Protections

oldschool

Level 66
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,585
https://blog.mozilla.org/security/2...tblock-and-new-referrer-tracking-protections/
We are happy to announce that the Firefox 93 release brings two exciting privacy improvements for users of Strict Tracking Protection and Private Browsing. With a more comprehensive SmartBlock 3.0, we combine a great browsing experience with strong tracker blocking. In addition, our new and enhanced referrer tracking protection prevents sites from colluding to share sensitive user data via HTTP referrers.

SmartBlock 3.0

In Private Browsing and Strict Tracking Protection, Firefox goes to great lengths to protect your web browsing activity from trackers. As part of this, the built-in content blocking will automatically block third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. This type of aggressive blocking could sometimes bring small inconveniences, such as missing images or bad performance. In some rare cases, it could even result in a feature malfunction or an empty page.

To compensate, we developed SmartBlock, a mechanism that will intelligently load local, privacy-preserving alternatives to the blocked resources that behave just enough like the original ones to make sure that the website works properly. The third iteration of SmartBlock brings vastly improved support for replacing the popular Google Analytics scripts and added support for popular services such as Optimizely, Criteo, Amazon TAM and various Google advertising scripts. As usual, these replacements are bundled with Firefox and can not track you in any way.

HTTP Referrer Protections

The HTTP Referer [sic] header is a browser signal that reveals to a website which location “referred” the user to that website’s server. It is included in navigations and sub-resource requests a browser makes and is frequently used by websites for analytics, logging, and cache optimization. When sent as part of a top-level navigation, it allows a website to learn which other website the user was visiting before. This is where things get problematic. If the browser sends the full URL of the previous site, then it may reveal sensitive user data included in the URL. Some sites may want to avoid being mentioned in a referrer header at all.

The Referrer Policy was introduced to address this issue: it allows websites to control the value of the referrer header so that a stronger privacy setting can be established for users. In Firefox 87, we went one step further and decided to set the new default referrer policy to strict-origin-when-cross-origin which will automatically trim the most sensitive parts of the referrer URL when it is shared with another website. As such, it prevents sites from unknowingly leaking private information to trackers.

However, websites can still override the introduced default trimming of the referrer, and hence effectively deactivate this protection and send the full URL anyway. This would invite websites to collude with trackers by choosing a more permissive referrer policy and as such remains a major privacy issue. With the release of version 93, Firefox will ignore less restrictive referrer policies for cross-site requests, such as ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’, and ‘unsafe-url’ and hence renders such privacy violations ineffective. In other words, Firefox will always trim the HTTP referrer for cross-site requests, regardless of the website’s settings. For same-site requests, websites can of course still send the full referrer URL.

Enabling these new Privacy Protections

As a Firefox user who is using Strict Tracking Protection and Private Browsing, you can benefit from the additionally provided privacy protection mechanism as soon as your Firefox auto-updates to Firefox 93. If you aren’t a Firefox user yet, you can download the latest version here to start benefiting from all the ways that Firefox works to protect you when browsing the internet.
 
F

ForgottenSeer 92963

I think Firefox is the most privacy oriented of the well known browsers. I like Edge on Windows much, because it has some security benefits over Google and a lot over Firefox, but I will give Firefox on Android a go on my smart phone. Thanks for sharing (y)
 

gonzalo

Level 2
May 20, 2014
94
I think Firefox is the most privacy oriented of the well known browsers. I like Edge on Windows much, because it has some security benefits over Google and a lot over Firefox, but I will give Firefox on Android a go on my smart phone. Thanks for sharing (y)
Can you please elaborate more about those "security benefits" in Ms Edge?
 
  • Like
Reactions: dabluez98

oldschool

Level 66
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,585
SmartBlock v3 stores and serves scripts in place of the original ones. I'm not techie so I can miserably mistaken, but sound somewhat similar to LocalCDN and Decentraleyes to me.
This is probably what you're referring to:
To compensate, we developed SmartBlock, a mechanism that will intelligently load local, privacy-preserving alternatives to the blocked resources that behave just enough like the original ones to make sure that the website works properly. The third iteration of SmartBlock brings vastly improved support for replacing the popular Google Analytics scripts and added support for popular services such as Optimizely, Criteo, Amazon TAM and various Google advertising scripts. As usual, these replacements are bundled with Firefox and can not track you in any way.
Yes, it does sound similar but my hunch is that it is qualitatively different, though I'm not certain. Probably someone with a better understanding than mine can provide an answer.
 
Last edited:
F

ForgottenSeer 92963

Can you please elaborate more about those "security benefits" in Ms Edge?
Somethings security features which Google has not got:
1. De-elevation on launch (from admin to standard user) of the Edge broker process.
2. Renderer process has Code Integrity Guard enabled (meaning only Microsoft signed code can be executed/injected).

On top of that there are two optional features:
3. You can prevent dll-injection in all Edge processes by enabling the Code Integrity Guard in Microsoft Defender Exploit Protection.
4. You can disable Just In Time compiler for Javascript with the egde flag "Superduper security" (the freedom of JIT needed for speed is often misused by malware, but nowadays javascript is nearly as fast as C++).

The fifth advantage is arbitrary Smartscreen scores a little better than Google's safe browsing in comparative tests and tests posted by by fellow MT-members.
 
Last edited by a moderator:

SpiderWeb

Level 9
Verified
Well-known
Aug 21, 2020
408
All the features they promote only work in Strict Mode which breaks 50% of the Internet because every site is cross posting now (embedded tweets, IG, YouTube). I'm not impressed. What would have been impressive is if they found out how to implement this without breaking browsing.
 

SecureKongo

Level 28
Verified
Top poster
Well-known
Feb 25, 2017
1,738
All the features they promote only work in Strict Mode which breaks 50% of the Internet because every site is cross posting now (embedded tweets, IG, YouTube). I'm not impressed. What would have been impressive is if they found out how to implement this without breaking browsing.
I am using Strict blocking for months now and except on a few websites I barely face any problems. Lets hope that they imrove SmartBlock further to prevent more website breakage.
 
Last edited:

SpiderWeb

Level 9
Verified
Well-known
Aug 21, 2020
408
Ca
My experience is similar so far.
Can you guys see embedded tweets and posts? I really want to use Strict mode but I'm annoyed by the all or nothing approach. It would be perfect if I could simply white list Twitter, YouTube and Instagram embeds but they don't allow you to whitelist trackers, just the entire domain. And some sites have nasty trackers so I refuse and just use Standard protection instead. I'm also having trouble with third party logins in Strict mode.
 

oldschool

Level 66
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,585
n you guys see embedded tweets and posts?
I haven't noticed since I don't use or look for them.
I'm also having trouble with third party logins in Strict mode.
Honestly haven't logged into many sites so I can't say. I tend to use Edge for those. You might really like LibreWolf as it disables and locks tracking protection. Noticeably faster than FF. I've been using it today to test phishing links.
 
F

ForgottenSeer 92963

All the features they promote only work in Strict Mode which breaks 50% of the Internet because every site is cross posting now (embedded tweets, IG, YouTube). I'm not impressed. What would have been impressive is if they found out how to implement this without breaking browsing.
What do you mean with all the features?
 
Last edited by a moderator:

Moonhorse

Level 32
Verified
Top poster
Content Creator
Well-known
May 29, 2018
2,164
Can you guys see embedded tweets and posts?
For me its been opposite after they implemented smartblock, i often run on edge so called max privacy setup into problems where i have to whitelist stuff (even cookies), but with firefox strict ( smartblock) I have never faced any problems. I do see twitter tweets and posts... but im not using any social media so i obviously have less to see (restrictions) than i would have when signed in to those sites
 
  • Like
Reactions: oldschool

oldschool

Level 66
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,585