<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>I'm part of the perf.html dev team.<br>
</p>
<p>Let me try to rephrase what the possible threat is:</p>
<ol>
<li>You are privacy-conscious so you have DNT enabled. You capture
a profile with the Gecko Profiler, and share it through
perf-html.io. Locally GA is _not_ loaded because DNT is
enabled.</li>
<li>You then hand over the link to another person.</li>
<li>This person is not as privacy-conscious, and didn't enable
DNT. As a result, loading the URL through perf-html.io _will_
load GA.</li>
<li>Loading GA involves loading a 3rd-party script we don't
control, and so this can be a malicious script.</li>
</ol>
<p>If that's the threat, I'd like to share some other bits of
information about perf-html, from _before_ we integrate GA:</p>
<ul>
<li>we already do load a 3rd-party script to shorten URL: we use
the JSONP-based bit.ly API and therefore it involves loading a
<script>. Looking at it closer it seems they now support
CORS so we should switch to that instead.</li>
<li>when sharing profiles we already send the profiles to google
cloud storage, plain and uncrypted.</li>
<li>before implementing GA we implemented CSP [1]</li>
</ul>
<p>This means we already had some threats even before we implemented
GA. I'm not saying "ok, now we can continue to do bad things" :)
You made me look at it closer and I do think we should address
them.</p>
<ol>
<li>We should encrypt the data <i>à la</i> Firefox Send.</li>
<li>We should switch to the CORS version of the big.ly API</li>
<li>Maybe we should have a flag in the URL that would enable DNT
as well, so that it's easy to share a non-tracking URL to
perf-html.io. When a user with DNT enabled shares a profile, he
could check a checkbox to get this flag in the URL.</li>
</ol>
<p>Thoughts ?<br>
</p>
<p>[1]
<a class="moz-txt-link-freetext" href="https://github.com/devtools-html/perf.html/blob/5382311a5a86ca2e40f534d0986b875dddf85da5/res/.htaccess#L49">https://github.com/devtools-html/perf.html/blob/5382311a5a86ca2e40f534d0986b875dddf85da5/res/.htaccess#L49</a><br>
</p>
<br>
<div class="moz-cite-prefix">Le 18/11/2017 à 07:06, Boris Zbarsky a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:f8879034-6806-de82-12ad-be6e2b454f60@mit.edu">On
11/17/17 7:50 PM, Harald Kirschner wrote:
<br>
<blockquote type="cite">nothing private about the profile itself
is collected in GA.
<br>
</blockquote>
<br>
Assuming GA itself is not buggy or malicious, right?
<br>
<br>
<blockquote type="cite">As alternative to uploading you can also
download the profiles locally and attach them to private bugs;
so you stay in control over them and can remove them as needed.
<br>
</blockquote>
<br>
I don't see how that's possible in a sane way. Capturing a
profile automatically hands the data to scripts running on
perf-html.io, no? It may not be uploaded in the sense of being
stored on the server, but it's in the global the GA scripts are
running in.
<br>
<br>
I have to admit that this change makes me a lot less comfortable
using the Gecko profiler at all. :(
<br>
<br>
<blockquote type="cite">Would it be helpful to have anonymization
as an option; to have a best-effort approach on removing PII
like URLs from profiles?
<br>
</blockquote>
<br>
If it were done in the profiler itself (i.e. in code we control),
not in perf-html.io (which we don't fully control if we load
third-party scripts into it), it would help with the privacy
issue. Of course it would make the profiles a lot less useful
(e.g. make it harder to figure out which site of the several I
have open is causing the performance problem).
<br>
<br>
-Boris
<br>
_______________________________________________
<br>
firefox-dev mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a>
<br>
</blockquote>
<br>
</body>
</html>