5

Overview

Webkit and Chromium engine both perform pre-connections when visiting sites, even with uBlock Origin installed. Users cannot disable this in the options. The only browsers that mitigate this are Brave (Chromium), who remove them altogether, and Firefox (not by default, but users can still change it). uBlock Origin disables speculative connections by default, but this only works in Firefox:

[This] does not cause DNS lookups, preconnections and prefetches to be reliably blocked, because Chromium [and Webkit] allows web pages to override that user setting.

Speculative connections include:

  • DNS request prefetching (e.g. "Link prefetching" in Webkit Experiments)
  • Network Preloading
  • Preloading resources (e.g. "Link preload responsive images" in Webkit Experiments)

You may find a description and related website explanations on each of these here. The descriptions are geared towards Firefox preferences, but the content is applicable to all browsers.

Example

Here's an example from cnn.com that I took a screenshot of in Orion's console:

So, in this example, even though I have uBlock Origin blocking Google Tag Manager, Chrome, Safari, Orion all preload it despite my tracking settings.

Conclusion

Blocking trackers isn't enough. We need to remove altogether (or turn off by default) all preloading, prefetching, and preconnections. This will put Orion's tracking mitigations further inline with Brave and hardened Firefox.

  • Vlad replied to this.

    yokoffing Interesting to debate.

    Features you describe are part of the W3 standards. They help make websites quicker.

    I am not sure how preloading a script has any privacy implications that normally loading a script doesn't. If any of the scripts preloaded that should be blocked by ad/tracking blocker isn't blocked by default, that is a bug that should be addressed separately.

    By the way you can disable most of these through Develop->Experimental features.

        a month later

        Vlad By the way you can disable most of these through Develop->Experimental features.

        My experience has been that even if I turn off these experiments, I still see preloaded resources in Dev Tools. I welcome other users to try and see if they can replicate this.

        As far as being experimental: When Apple devs move these from experiments to being fully integrated into Webkit, the problem will remain and be potentially more cumbersome to remove or disable.

            No one is typing