NEW 274840
[WPE][GTK] Investigate AdvancedPrivacyProtections 
https://bugs.webkit.org/show_bug.cgi?id=274840
Summary [WPE][GTK] Investigate AdvancedPrivacyProtections
Michael Catanzaro
Reported 2024-05-29 09:34:04 PDT
264942@main introduced an Advanced Privacy Protections feature that's enabled in Safari private browsing mode, including (from the commit message): • Link decoration defenses (filtering and hiding on cross-origin navigation) • Tracker blocking in various forms • Improved fingerprinting protections (2D canvas, WebGL, web audio, screen/window geometry) • Opting into network-level system privacy enhancements Unfortunately the first two bullet points appear to be Apple-specific in that they depend on the application passing data to WebKit. Presumably that data is proprietary to Safari and not reusable? (Hey Wenson, if you could confirm, that would be helpful.) The third bullet point looks like low-hanging fruit. We probably just need a way to set the right flags to enable this. In particular, it inserts per-origin noise into API results that can be used for cross-origin tracking. The fourth bullet point, network-level system privacy enhancements, requires investigation to figure out what that entails and how to implement for libsoup. Since Apple's network stack is proprietary, probably the only thing we can do is ask what "network-level system privacy enhancements" entails and see what they'll tell us. (Hey Weson, any info you have on this would be helpful.)
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2024-05-29 11:45:56 PDT
This one line patch (for testing purposes only, not a serious patch) significantly improves our performance on https://coveryourtracks.eff.org/ diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebsitePolicies.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebsitePolicies.cpp index fd2a94767aca..7c4b5cd3bec2 100644 --- a/Source/WebKit/UIProcess/API/glib/WebKitWebsitePolicies.cpp +++ b/Source/WebKit/UIProcess/API/glib/WebKitWebsitePolicies.cpp @@ -52,6 +52,7 @@ struct _WebKitWebsitePoliciesPrivate { _WebKitWebsitePoliciesPrivate() : websitePolicies(API::WebsitePolicies::create()) { + websitePolicies->setAdvancedPrivacyProtections({ WebCore::AdvancedPrivacyProtections::BaselineProtections, WebCore::AdvancedPrivacyProtections::FingerprintingProtections }); } RefPtr<API::WebsitePolicies> websitePolicies; }; We go from "Our tests indicate that you have some protection against Web tracking, but it has some gaps" to "Our tests indicate that you have strong protection against Web tracking." The changes I see are: * Fake screen size * Canvas, WebGL, AudioContext fingerprints randomized by first-party domain However, it all depends on API::WebsitePolicies. The GTK/WPE API website policies API probably needs to be deprecated and replaced, bug #259577.
Michael Catanzaro
Comment 2 2024-07-16 11:31:16 PDT
There is now a detailed blog post explaining things: https://webkit.org/blog/15697/private-browsing-2-0/
Note You need to log in before you can comment on or make changes to this bug.