[tbb-bugs] #23349 [Applications/Tor Browser]: Disable navigator.send_beacon().
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Aug 29 09:25:12 UTC 2017
#23349: Disable navigator.send_beacon().
--------------------------------------+-----------------------------------
Reporter: yawning | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by yawning):
Replying to [comment:1 gk]:
> What is so special about `sendBeacon` that we should treat it
differently than the more cumbersome it means to replace (see the MDN page
you linked to and https://w3c.github.io/beacon/, especially the Privacy
and Security section? Or, asked differently, why should we allow all the
other awful techniques but not `sendBeacon`.
In an ideal world, we shouldn't allow any of those other awful things
either.
> Could you elaborate on the "runs counter to 'Transpaency in Navigation
Tracking'" claim? What does `sendBeacon` add that is not entailed in the
usual third party (data aggregation) requests?
"Report session data when the page transitions to background state or is
being unloaded, without blocking the user agent." is anything but
transparent. Philosophically, an API call that was introduced primarily
to facilitate anti-privacy practices is horrific and evil.
I guess a better time to push for it being disabled was, when it was first
introduced, because it was blatantly broken (CVE-2014-8638), and not just
when I disagree with it from a philosophical point of view.
*shrug*
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23349#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list