-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass-through mozilla tracking protection requests #8374
Comments
It's not ZAP but Firefox that's sending those requests. |
Having worked at Mozilla I'm pretty sure they wont mind either way 😉 |
I'm aware that firefox is initiating those requests, but the way that zap initiates firefox (as in not setting this setting to off) is causing firefox to initiate those requests. |
What is the plan doing? |
It is basically a full authenticated scan, as in the type that is created when clicking "new plan..." in the automation framework tab in the gui and then selecting the Full scan profile |
It has some additions such as excluded paths and alertfilters that have been added put apart from that it is the same template |
I totally agree. We should reduce this "noise" since a ZAP scan doesn't need tracking-protection... It seems the option is called something like: In the ExtensionSelenium.java, maybe like this?
The only thing where I am not sure is the option name. It contains |
ZAP is also used by humans. |
Sure but either way - I don't see any benefit to report such requests to mozilla. It is a pentest of a site - automated or by a human. Firefox sometimes sends several megabyte of data (per request!) to this URL when using ZAP. And I doubt that this data is in anyway helpful on the mozilla side (e.g. checking whether some tracking was involved or not). Update: |
@psiinon Do you have an idea how to disable this? |
In that case it's something to be set by |
So it is possible to pass preferences along when starting it? |
Is there a plan to change this? If not I could work on creating a pull request, but may need a few pointers on where to look as it seems like @thc202 thinks it should be set by the geckodriver and not by firefox preferences as I had originally assumed. |
Feel free to open a pull request but only set the preference for "tools" not manual usage, or if you really want to do for all make sure to document that so users know that it's being disabled. The |
Do you mean here? GeckoDriver project at mozilla.
In the options I would add (which of the two I do not know):
|
How would I set this to only work for tools? My idea would have been to add it like so in the selenium extension :
But this would be a global change. |
I haven't been able to create a working solution. Neither with the above code or just a plain policies file which works on the normal firefox browser when put in /etc/firefox/policies/policies.json {
"policies": {
"EnableTrackingProtection": {
"Value": false,
"Locked": true,
"Cryptomining": false,
"Fingerprinting": false,
"EmailTracking": false,
"Exceptions": []
}
}
} For some reason firefox when started by zap ignores this policy even though it is meant to globally effect firefox instances. @psiinon @thc202 do you have any idea why this might be? |
It probably has to do with selenium/webdriver launching the browser and using an empty profile. it'd have to be set programmatically. |
okay thanks, do you have any further hints on how to do this? Or any pointer to the class where this geckodriver is instantiated with this empty profile |
It'd be back in this code you quoted earlier: #8374 (comment) I'm not sure how you'd limit it to specific invocations/tools though. @thc202 / @psiinon is there a reason this shouldn't be added as a default Global Exclude or TLS passthru.
|
I have attempted to fix this, this is what I have tried so far:
and started zap with You can see many calls made to tracking protection by just using the zap to manually go to google.com {
"policies": {
"EnableTrackingProtection": {
"Value": false,
"Locked": true,
"Cryptomining": false,
"Fingerprinting": false,
"EmailTracking": false,
"Exceptions": []
}
}
} Which is enabled in the firefox browser started by zap: firefoxOptions.addPreference("privacy.disable_button.tracking_protection_exceptions", true);
firefoxOptions.addPreference("network.cookie.cookieBehavior", 0);
firefoxOptions.addPreference("privacy.socialtracking.block_cookies.enabled", false);
firefoxOptions.addPreference("privacy.trackingprotection.enabled", false);
firefoxOptions.addPreference("privacy.trackingprotection.pbmode.enabled", false);
firefoxOptions.addPreference("privacy.trackingprotection.cryptomining.enabled", false);
firefoxOptions.addPreference("privacy.trackingprotection.fingerprinting.enabled", false); and yet the tracking protection requests are still made. |
Ok that is quite strange and should have worked imho but it seems that both ways (code change in |
To the original issue: Is this really about pass-thru or are you after blocking/prevention? Because you should be able to use Global Excludes or TLS Pass-thru if that fits the requirement. |
Describe the bug
When scanning our site with zap automation framework inside docker using the Logmessages.js script I discovered that a third of all requests made were made to https://tracking-protection.cdn.mozilla.net. The Responses were sometimes up to several mb. I believe this should be disabled by default for privacy and efficiency reasons. Mozilla will probably appreciate it too.
Steps to reproduce the behavior
Create A dockerfile which inherits softwaresecurityproject/zap-stable
Create a yaml scrip which scans a site and logs the requests made using LogMessages.js
Add a entrypoint which starts zap like so:
zap.sh -cmd -autorund -script.yaml
Look through the logfile when the scan completes.
Expected behavior
Zap having tracking-protection preference set to be off by default. turning off tracking-protection for firefox using selenium - Stackoverflow link I believe that this change would need to be implemented here: ExtensionSelenium.java But may need more information to implement this myself.
Software versions
softwaresecurityproject/zap-stable latest 9899971d6689
Screenshots
No response
Errors from the zap.log file
No response
Additional context
No response
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: