Intent to Merge: Google Analytics on perf-html.io
jwajsberg at mozilla.com
Sun Nov 19 14:55:31 UTC 2017
I'm part of the perf.html dev team.
Let me try to rephrase what the possible threat is:
1. You are privacy-conscious so you have DNT enabled. You capture a
profile with the Gecko Profiler, and share it through perf-html.io.
Locally GA is _not_ loaded because DNT is enabled.
2. You then hand over the link to another person.
3. This person is not as privacy-conscious, and didn't enable DNT. As a
result, loading the URL through perf-html.io _will_ load GA.
4. Loading GA involves loading a 3rd-party script we don't control, and
so this can be a malicious script.
If that's the threat, I'd like to share some other bits of information
about perf-html, from _before_ we integrate GA:
* we already do load a 3rd-party script to shorten URL: we use the
JSONP-based bit.ly API and therefore it involves loading a <script>.
Looking at it closer it seems they now support CORS so we should
switch to that instead.
* when sharing profiles we already send the profiles to google cloud
storage, plain and uncrypted.
* before implementing GA we implemented CSP 
This means we already had some threats even before we implemented GA.
I'm not saying "ok, now we can continue to do bad things" :) You made me
look at it closer and I do think we should address them.
1. We should encrypt the data /à la/ Firefox Send.
2. We should switch to the CORS version of the big.ly API
3. Maybe we should have a flag in the URL that would enable DNT as
well, so that it's easy to share a non-tracking URL to perf-html.io.
When a user with DNT enabled shares a profile, he could check a
checkbox to get this flag in the URL.
Le 18/11/2017 à 07:06, Boris Zbarsky a écrit :
> On 11/17/17 7:50 PM, Harald Kirschner wrote:
>> nothing private about the profile itself is collected in GA.
> Assuming GA itself is not buggy or malicious, right?
>> As alternative to uploading you can also download the profiles
>> locally and attach them to private bugs; so you stay in control over
>> them and can remove them as needed.
> I don't see how that's possible in a sane way. Capturing a profile
> automatically hands the data to scripts running on perf-html.io, no?
> It may not be uploaded in the sense of being stored on the server, but
> it's in the global the GA scripts are running in.
> I have to admit that this change makes me a lot less comfortable using
> the Gecko profiler at all. :(
>> Would it be helpful to have anonymization as an option; to have a
>> best-effort approach on removing PII like URLs from profiles?
> If it were done in the profiler itself (i.e. in code we control), not
> in perf-html.io (which we don't fully control if we load third-party
> scripts into it), it would help with the privacy issue. Of course it
> would make the profiles a lot less useful (e.g. make it harder to
> figure out which site of the several I have open is causing the
> performance problem).
> firefox-dev mailing list
> firefox-dev at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the firefox-dev