Intent to Merge: Google Analytics on

Julien Wajsberg jwajsberg at
Sun Nov 19 14:55:31 UTC 2017


I'm part of the perf.html dev team.

Let me try to rephrase what the possible threat is:

 1. You are privacy-conscious so you have DNT enabled. You capture a
    profile with the Gecko Profiler, and share it through 
    Locally GA is _not_ loaded because DNT is enabled.
 2. You then hand over the link to another person.
 3. This person is not as privacy-conscious, and didn't enable DNT. As a
    result, loading the URL through _will_ load GA.
 4. Loading GA involves loading a 3rd-party script we don't control, and
    so this can be a malicious script.

If that's the threat, I'd like to share some other bits of information 
about perf-html, from _before_ we integrate GA:

  * we already do load a 3rd-party script to shorten URL: we use the
    JSONP-based API and therefore it involves loading a <script>.
    Looking at it closer it seems they now support CORS so we should
    switch to that instead.
  * when sharing profiles we already send the profiles to google cloud
    storage, plain and uncrypted.
  * before implementing GA we implemented CSP [1]

This means we already had some threats even before we implemented GA. 
I'm not saying "ok, now we can continue to do bad things" :) You made me 
look at it closer and I do think we should address them.

 1. We should encrypt the data /à la/ Firefox Send.
 2. We should switch to the CORS version of the API
 3. Maybe we should have a flag in the URL that would enable DNT as
    well, so that it's easy to share a non-tracking URL to
    When a user with DNT enabled shares a profile, he could check a
    checkbox to get this flag in the URL.

Thoughts ?


Le 18/11/2017 à 07:06, Boris Zbarsky a écrit :
> On 11/17/17 7:50 PM, Harald Kirschner wrote:
>> nothing private about the profile itself is collected in GA.
> Assuming GA itself is not buggy or malicious, right?
>> As alternative to uploading you can also download the profiles 
>> locally and attach them to private bugs; so you stay in control over 
>> them and can remove them as needed.
> I don't see how that's possible in a sane way.  Capturing a profile 
> automatically hands the data to scripts running on, no?  
> It may not be uploaded in the sense of being stored on the server, but 
> it's in the global the GA scripts are running in.
> I have to admit that this change makes me a lot less comfortable using 
> the Gecko profiler at all.  :(
>> Would it be helpful to have anonymization as an option; to have a 
>> best-effort approach on removing PII like URLs from profiles?
> If it were done in the profiler itself (i.e. in code we control), not 
> in (which we don't fully control if we load third-party 
> scripts into it), it would help with the privacy issue.  Of course it 
> would make the profiles a lot less useful (e.g. make it harder to 
> figure out which site of the several I have open is causing the 
> performance problem).
> -Boris
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the firefox-dev mailing list