#112 Consider implementing NEL Shield
Opened a year ago by polcak. Modified a year ago

Summary

We researched Data Protection and Security Issues With Network Error Logging and it seems that we should add a shield to JShelter to protect users from NEL tracking.

Setup

  1. Only Chromium-based browsers are affected ATM.
  2. Brave does not support NEL.
  3. For Firefox, see https://github.com/mozilla/standards-positions/issues/99

Pages affected: The deployment raised from 0 to 11.73 % (almost 2,250,000 unique domains) since 2019. Current deployment is dominated by Cloudflare. See https://arxiv.org/pdf/2305.01249.pdf.

Expected result

  1. JShelter removes NEL headers from HTTP replies.
  2. Consider removal of Report-To headers.
  3. JShelter should insert policy removing previous NEL policy (validity = 0), see the paper for reasoning.

Additional information / notes

We will work on the issue after migration to MV3.


Login to comment on this ticket.

Metadata