[meta] 外部への情報送信機能をすべて無効化する

[dynamis]

組込用途では利用者データの収集などは不要だし、いろいろな理由でブラウザエンジン側がデータにアクセスしたり個人情報を取得したりすることを避けたい避けたい場面があるが、Firefox のビルドデフォルトではいろいろな個人情報や統計データ、クラッシュレポートなどを収集、送信したりする機能がある。

Firefox のプライバシーポリシーで掲載されている項目は一通り無効化する方法・パッチを用意する。

https://www.mozilla.org/en-US/privacy/firefox/ https://www.mozilla.org/ja/privacy/firefox/

[dynamis]

次の issue が対象:

• フォーム系要素などの動作を確認 #10
• Telemetry の無効化 #11
• 初回起動時のデータ取得・送信を無効化 #12
• コンテンツ推薦系の動作がないことを確認 #13
• セキュリティ更新系の通信を無効化 #14
• クラッシュレポートを無効化 #15
• Firefox ヘルスレポートを無効化 #16
• Mozilla マーケティング関連のデータ送信がないことを確認 #17
• Mozilla のサービス連携を無効化する #18
• Geolocation API を無効化する #19
• Web Push API を無効化する #20
• アドオンマネージャからのデータ送信無効化 #21

privacy タグの issue リスト: https://github.com/webdino/amethyst/issues?q=is%3Aissue+is%3Aopen+label%3Aprivacy

[kou029w]

7deb3c89 ビルドにて、通常Firefoxがアクセスしうる以下のホストへのリクエストが発生しないことを確認

• content-signature-2.cdn.mozilla.net
• detectportal.firefox.com
• ocsp.digicert.com
• profile.accounts.firefox.com
• push.services.mozilla.com

確かめるために使用したコード:

NSPR_LOG_MODULES=nsHttp:3 NSPR_LOG_FILE=ns-http.log webviewer htts://example.com
^C
perl -ne 'print if (/http request \[$/../]$/)' ns-http.log

[4089:Main Thread]: I/nsHttp http request [
[4089:Main Thread]: I/nsHttp   GET / HTTP/1.1
[4089:Main Thread]: I/nsHttp   Host: example.com
[4089:Main Thread]: I/nsHttp   User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:60.0) Gecko/20100101 Firefox/60.0
[4089:Main Thread]: I/nsHttp   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[4089:Main Thread]: I/nsHttp   Accept-Language: en-US,en;q=0.5
[4089:Main Thread]: I/nsHttp   Accept-Encoding: gzip, deflate, br
[4089:Main Thread]: I/nsHttp   Connection: keep-alive
[4089:Main Thread]: I/nsHttp   Upgrade-Insecure-Requests: 1
[4089:Main Thread]: I/nsHttp ]

通常のFirefoxでの結果

環境: ```log $ lsb_release --all No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 19.04 Release: 19.04 Codename: disco $ firefox --version Mozilla Firefox 69.0 $ NSPR_LOG_MODULES=nsHttp:3 NSPR_LOG_FILE=ns-http.log firefox https://example.com ^C $ perl -ne 'print if (/http request \[$/../]$/)' ns-http.log ``` ```log [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET /v1/profile HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: profile.accounts.firefox.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: application/json [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate, br [Parent 11239: Main Thread]: E/nsHttp authorization: *********************************************************************** [Parent 11239: Main Thread]: E/nsHttp if-none-match: "9dce3d13038691184e95ccc40f828c2eec9e6ac9-gzip" [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp Pragma: no-cache [Parent 11239: Main Thread]: E/nsHttp Cache-Control: no-cache [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET /success.txt HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: detectportal.firefox.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: */* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate [Parent 11239: Main Thread]: E/nsHttp Cache-Control: no-cache [Parent 11239: Main Thread]: E/nsHttp Pragma: no-cache [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET /success.txt?ipv4 HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: detectportal.firefox.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: */* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp Pragma: no-cache [Parent 11239: Main Thread]: E/nsHttp Cache-Control: no-cache [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET /success.txt?ipv6 HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: detectportal.firefox.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: */* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp Pragma: no-cache [Parent 11239: Main Thread]: E/nsHttp Cache-Control: no-cache [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp POST / HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: ocsp.digicert.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: */* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate [Parent 11239: Main Thread]: E/nsHttp Content-Type: application/ocsp-request [Parent 11239: Main Thread]: E/nsHttp Content-Length: 83 [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET /chains/remote-settings.content-signature.mozilla.org-2019-10-02-18-15-08.chain HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: content-signature-2.cdn.mozilla.net [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: */* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate, br [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET / HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: push.services.mozilla.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: */* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate, br [Parent 11239: Main Thread]: E/nsHttp Sec-WebSocket-Version: 13 [Parent 11239: Main Thread]: E/nsHttp Origin: wss://push.services.mozilla.com/ [Parent 11239: Main Thread]: E/nsHttp Sec-WebSocket-Protocol: push-notification [Parent 11239: Main Thread]: E/nsHttp Sec-WebSocket-Extensions: permessage-deflate [Parent 11239: Main Thread]: E/nsHttp Sec-WebSocket-Key: HKJofQesKYxJnjPLhuR8fw== [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive, Upgrade [Parent 11239: Main Thread]: E/nsHttp Pragma: no-cache [Parent 11239: Main Thread]: E/nsHttp Cache-Control: no-cache [Parent 11239: Main Thread]: E/nsHttp Upgrade: websocket [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp POST / HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: ocsp.digicert.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: */* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate [Parent 11239: Main Thread]: E/nsHttp Content-Type: application/ocsp-request [Parent 11239: Main Thread]: E/nsHttp Content-Length: 83 [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET / HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: example.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate, br [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp Upgrade-Insecure-Requests: 1 [Parent 11239: Main Thread]: E/nsHttp ] [Parent 11239: Main Thread]: E/nsHttp http request [ [Parent 11239: Main Thread]: E/nsHttp GET /favicon.ico HTTP/1.1 [Parent 11239: Main Thread]: E/nsHttp Host: example.com [Parent 11239: Main Thread]: E/nsHttp User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 [Parent 11239: Main Thread]: E/nsHttp Accept: image/webp,*/* [Parent 11239: Main Thread]: E/nsHttp Accept-Language: ja,en-US;q=0.7,en;q=0.3 [Parent 11239: Main Thread]: E/nsHttp Accept-Encoding: gzip, deflate, br [Parent 11239: Main Thread]: E/nsHttp Connection: keep-alive [Parent 11239: Main Thread]: E/nsHttp ] ```

[kou029w]

デフォルトだとダウンロードファイルのマルウェアチェック機能 (browser.safebrowsing.*) が有効なため、PDFファイルなどにダウンロード可能なURLにアクセスするとGoogleへのリクエストが発生するようです

[4942:Main Thread]: I/nsHttp http request [
[4942:Main Thread]: I/nsHttp   POST /safebrowsing/clientreport/download?key=%GOOGLE_API_KEY% HTTP/1.1
[4942:Main Thread]: I/nsHttp   Host: sb-ssl.google.com
[4942:Main Thread]: I/nsHttp   User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:60.0) Gecko/20100101 Firefox/60.0
[4942:Main Thread]: I/nsHttp   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[4942:Main Thread]: I/nsHttp   Accept-Language: en-US,en;q=0.5
[4942:Main Thread]: I/nsHttp   Accept-Encoding: gzip, deflate, br
[4942:Main Thread]: I/nsHttp   Content-Length: 230
[4942:Main Thread]: I/nsHttp   Content-Type: application/octet-stream
[4942:Main Thread]: I/nsHttp   Cookie: NID=188=l29-6tkUA6aPul2Km0nCtT6rw6LHYBTLO2u89CwI7pdq9O6KM9xEeAUg8CQ5ztc8U5VTaWZlBDOjbG9N6RWMZYZRm0yZvdvdOsU6NklY2CasReySSmKoJ3FriuxS74J4OK15Y0lggQpb8mrWkck7PQEEL2Qt5ZwV1r1oHfLRk54
[4942:Main Thread]: I/nsHttp   Connection: keep-alive
[4942:Main Thread]: I/nsHttp ]

サンプル: https://file-examples.com/wp-content/uploads/2017/10/file-sample_150kB.pdf 参考文献: https://www.mozilla.jp/business/faq/tech/security/

// Google Safe Browsing機能
lockPref("browser.safebrowsing.enabled", false);
lockPref("browser.safebrowsing.malware.enabled", false);
lockPref("browser.safebrowsing.gethashURL", "");
lockPref("browser.safebrowsing.keyURL", "");  // Firefox 38用
lockPref("browser.safebrowsing.malware", "");  // Firefox 38用
lockPref("browser.safebrowsing.malware.reportURL", "");
lockPref("browser.safebrowsing.reportErrorURL", "");
lockPref("browser.safebrowsing.reportGenericURL", "");
lockPref("browser.safebrowsing.reportMalwareErrorURL", "");
lockPref("browser.safebrowsing.reportMalwareURL", "");
lockPref("browser.safebrowsing.reportPhishURL", "");
lockPref("browser.safebrowsing.reportURL", "");
lockPref("browser.safebrowsing.updateURL", "");
lockPref("browser.safebrowsing.warning.infoURL", "");  // Firefox 38用
lockPref("browser.safebrowsing.appRepURL", "");

[hATrayflood]

マルウェアチェック機能そのものは無効にしてないため、そのような動作になりますね。 この通信も止めるかどうかご判断ください。 @dynamis @kou029w

[dynamis]

すみません、明文化＆個別 issue 立てる際に漏れていました (細かなところばかり気にして有名どころを忘れていた...)。

42 として立てましたが、パッチ作成お願い出来ますでしょうか。

[hATrayflood]

https://github.com/webdino/amethyst/issues/42#issuecomment-532177955 対応しました。

[dynamis]

リリース済み・クローズ。