Issue #112: Consider implementing NEL Shield - webextension

JShelter / webextension

#112 Consider implementing NEL Shield

Opened 21 days ago by polcak. Modified 21 days ago

Summary

We researched Data Protection and Security Issues With Network Error Logging and it seems that we should add a shield to JShelter to protect users from NEL tracking.

Setup

Only Chromium-based browsers are affected ATM.
Brave does not support NEL.
For Firefox, see https://github.com/mozilla/standards-positions/issues/99

Pages affected: The deployment raised from 0 to 11.73 % (almost 2,250,000 unique domains) since 2019. Current deployment is dominated by Cloudflare. See https://arxiv.org/pdf/2305.01249.pdf.

Expected result

JShelter removes NEL headers from HTTP replies.
Consider removal of Report-To headers.
JShelter should insert policy removing previous NEL policy (validity = 0), see the paper for reasoning.

Additional information / notes

We will work on the issue after migration to MV3.

polcak commented 21 days ago

Report to W3C: https://github.com/w3c/network-error-logging/issues/136, report to Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=1445886, report to Firefox https://github.com/mozilla/standards-positions/issues/99#issuecomment-1549246081.

Metadata

Assignee

polcak

Tags

Blocking

None

Depending on

None

Priority

Normal

Milestone

None

JShelter / webextension

Source Code

#112 Consider implementing NEL Shield Opened 21 days ago by polcak. Modified 21 days ago

Close issue as:

Summary

Setup

Expected result

Additional information / notes

Metadata

enhancement design decision

#112 Consider implementing NEL Shield

Opened 21 days ago by polcak. Modified 21 days ago