Skip to content

Conversation

@ghostwords
Copy link
Member

Fixes #1191.

@ghostwords ghostwords added the yellowlist Domains on this list are allowed but with restrictions: no referrer headers or cookies/localStorage label Aug 3, 2017
@ghostwords ghostwords requested a review from cowlicks August 3, 2017 21:19
@ghostwords
Copy link
Member Author

By the way, I see "database storage" being used by api.solvemedia.com but I have trouble getting Chrome dev tools to show me the contents.

screenshot from 2017-08-03 17 37 57

screenshot from 2017-08-03 17 38 08

@cowlicks
Copy link
Contributor

cowlicks commented Aug 4, 2017

@ghostwords I suspect that this is either indexedDB or web SQL. I looked into a way for clients to inspect local indexedDB data on an origin. Unfortunately the way to do this has been removed recently. I've followed up with chrome to get this restored.

It seems that the only way we can get this data is to monitor indexedDB access on clients and record database names.

Copy link
Contributor

@cowlicks cowlicks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I supposed we are cookie blocking solvemedia.com because api.solvemedia.com is setting cookies on it? I only saw api.solvemedia.com loaded in the linked domains.

This works because yellowlisting solvemedia.com also yellowlists api.solvemedia.com right? We should document that somewhere, but not in this PR.

@ghostwords
Copy link
Member Author

ghostwords commented Aug 22, 2017

Subdomains of yellowlisted domains should end up getting "cookieblocked".

Agreed, we should add tests for the various scenarios of adding domains to the yellowlist and what effect that has on their heuristicAction properties. That to me is what #1515 is about. [Update: 372c009 adds a basic test of a domain going from "block" to "cookieblock".]

I think we should be careful about the distinction between something being "yellowlisted" (added to our exception list of domains but not directly used by Privacy Badger's decisioning) and something being "cookieblocked" (a Privacy Badger decision state, distinct from blocked, not-yet-blocked, or non-tracking).

We do have a test for when you have a blocked subdomain and a cookieblocked parent domain:

QUnit.test("cookieblocking overrules blocking", (assert) => {
// mark domain for cookieblocking
storage.setupHeuristicAction(DOMAIN, constants.COOKIEBLOCK);
// mark subdomain for blocking
storage.setupHeuristicAction(SUBDOMAIN, constants.BLOCK);
// check domain itself
assert.equal(
storage.getAction(DOMAIN),
constants.COOKIEBLOCK,
"domain is marked for cookieblocking directly"
);
assert.equal(
storage.getBestAction(DOMAIN),
constants.COOKIEBLOCK,
"domain is marked for cookieblocking"
);
// check that subdomain inherits cookieblocking
assert.equal(
storage.getAction(SUBDOMAIN),
constants.BLOCK,
"subdomain is marked for blocking directly"
);
assert.equal(
storage.getBestAction(SUBDOMAIN),
constants.COOKIEBLOCK,
"subdomain is marked for cookieblocking (via parent domain)"
);
});

@ghostwords
Copy link
Member Author

@cowlicks Should we yellowlist solvemedia.com even though it sets database storage?

@ghostwords
Copy link
Member Author

Opened a crbug re inability to inspect IndexedDB contents in Chrome settings/dev tools: https://bugs.chromium.org/p/chromium/issues/detail?id=930773

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

help wanted yellowlist Domains on this list are allowed but with restrictions: no referrer headers or cookies/localStorage

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants