(from PTO, will be slow to respond)<br><br>Thanks Julien for jumping in. The his point that security wasn’t lowered but raised when we prepared perf.html for adding GA: bugzilla and crash-stats have GA for tracking product analytics; as these teams, just as ours, want to make data-driven decisions on where to focus their efforts. Just as perf.html, these sites tightly control how GA gets embedded and what is tracked.<br><br>Thank you everybody else to raise the general concern of using a hosted web app. For the future we might look at other ways to deliver the web app that provides more control, ideas welcome. A first step would be for now to review how to replace 3rd party libraries included, as both GA and bitly provide HTTP APIs.<br><br>Thanks again. If you have feedback on perf.html outside of the scope of this discussion please don’t hesitate to file them at <a href="https://github.com/devtools-html/perf.html/">https://github.com/devtools-html/perf.html/</a><br><br>/Harald <br><div class="gmail_quote"><div dir="ltr">On Sun, Nov 19, 2017 at 3:46 PM Julien Wajsberg <<a href="mailto:jwajsberg@mozilla.com">jwajsberg@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>I'm part of the perf.html dev team.<br>
</p>
<p>Let me try to rephrase what the possible threat is:</p>
<ol>
<li>You are privacy-conscious so you have DNT enabled. You capture
a profile with the Gecko Profiler, and share it through
<a href="http://perf-html.io" target="_blank">perf-html.io</a>. Locally GA is _not_ loaded because DNT is
enabled.</li>
<li>You then hand over the link to another person.</li>
<li>This person is not as privacy-conscious, and didn't enable
DNT. As a result, loading the URL through <a href="http://perf-html.io" target="_blank">perf-html.io</a> _will_
load GA.</li>
<li>Loading GA involves loading a 3rd-party script we don't
control, and so this can be a malicious script.</li>
</ol>
<p>If that's the threat, I'd like to share some other bits of
information about perf-html, from _before_ we integrate GA:</p>
<ul>
<li>we already do load a 3rd-party script to shorten URL: we use
the JSONP-based <a href="http://bit.ly" target="_blank">bit.ly</a> API and therefore it involves loading a
<script>. Looking at it closer it seems they now support
CORS so we should switch to that instead.</li>
<li>when sharing profiles we already send the profiles to google
cloud storage, plain and uncrypted.</li>
<li>before implementing GA we implemented CSP [1]</li>
</ul>
<p>This means we already had some threats even before we implemented
GA. I'm not saying "ok, now we can continue to do bad things" :)
You made me look at it closer and I do think we should address
them.</p>
<ol>
<li>We should encrypt the data <i>à la</i> Firefox Send.</li>
<li>We should switch to the CORS version of the <a href="http://big.ly" target="_blank">big.ly</a> API</li>
<li>Maybe we should have a flag in the URL that would enable DNT
as well, so that it's easy to share a non-tracking URL to
<a href="http://perf-html.io" target="_blank">perf-html.io</a>. When a user with DNT enabled shares a profile, he
could check a checkbox to get this flag in the URL.</li>
</ol>
<p>Thoughts ?<br>
</p>
<p>[1]
<a class="m_-7230536804241704700moz-txt-link-freetext" href="https://github.com/devtools-html/perf.html/blob/5382311a5a86ca2e40f534d0986b875dddf85da5/res/.htaccess#L49" target="_blank">https://github.com/devtools-html/perf.html/blob/5382311a5a86ca2e40f534d0986b875dddf85da5/res/.htaccess#L49</a><br>
</p></div><div text="#000000" bgcolor="#FFFFFF">
<br>
<div class="m_-7230536804241704700moz-cite-prefix">Le 18/11/2017 à 07:06, Boris Zbarsky a
écrit :<br>
</div>
<blockquote type="cite">On
11/17/17 7:50 PM, Harald Kirschner wrote:
<br>
<blockquote type="cite">nothing private about the profile itself
is collected in GA.
<br>
</blockquote>
<br>
Assuming GA itself is not buggy or malicious, right?
<br>
<br>
<blockquote type="cite">As alternative to uploading you can also
download the profiles locally and attach them to private bugs;
so you stay in control over them and can remove them as needed.
<br>
</blockquote>
<br>
I don't see how that's possible in a sane way. Capturing a
profile automatically hands the data to scripts running on
<a href="http://perf-html.io" target="_blank">perf-html.io</a>, no? It may not be uploaded in the sense of being
stored on the server, but it's in the global the GA scripts are
running in.
<br>
<br>
I have to admit that this change makes me a lot less comfortable
using the Gecko profiler at all. :(
<br>
<br>
<blockquote type="cite">Would it be helpful to have anonymization
as an option; to have a best-effort approach on removing PII
like URLs from profiles?
<br>
</blockquote>
<br>
If it were done in the profiler itself (i.e. in code we control),
not in <a href="http://perf-html.io" target="_blank">perf-html.io</a> (which we don't fully control if we load
third-party scripts into it), it would help with the privacy
issue. Of course it would make the profiles a lot less useful
(e.g. make it harder to figure out which site of the several I
have open is causing the performance problem).
<br>
<br>
-Boris
<br>
_______________________________________________
<br>
firefox-dev mailing list
<br>
<a class="m_-7230536804241704700moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a>
<br>
<a class="m_-7230536804241704700moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a>
<br>
</blockquote>
<br>
</div>
_______________________________________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
</blockquote></div>