security: add the ability to disable engagement tracking
-
Following a suggestion by @mib2berlin on this thread:
https://forum.vivaldi.net/topic/44010/is-it-possible-to-disable-site-engagement-tracking/4this is in reference to the urls:
vivaldi://site-engagement
vivaldi://media-engagementthese pages track data used by clients (websites, extensions, apps) to keep a profile on you:
www.chromium.org/developers/design-documents/site-engagementI'd like to request the ability to disable engagement tracking to prevent malicious sites from tracking me.
EDIT: update:
after finding out the engagement data is stored locally without the functionality to allow websites to access it,
websites don't have the functionality alone to track me, but there could be APIs used by malicious sites that could provide that functionality through JS exploits or such.that aside though, extensions and apps are the bigger issue here as they have local access to the files (within the chromium sandbox) on the PC and could potentially access the engagement data.
lastly, despite the large issue being out of the way, I'd still personally prefer to just disable it altogether, because I don't have nor see a real need for it, especially if websites can't access it.
(certain extensions and apps might actually have a need, which is why I'm suggesting an option over simply removing it) -
@Tcll said in security: add the ability to disable engagement tracking:
there could be APIs used by malicious sites that could provide that functionality through JS exploits or such.
If that's happening, you've got bigger problems coming than a small amount of engagement data leaking.
that aside though, extensions and apps are the bigger issue here as they have local access to the files on the PC and could potentially access the engagement data.
Once again, if extensions can access local files on your PC, you've got bigger problems.
-
well, vivaldi has bigger problems anyways, regarding malicious website APIs
but this request mitigates the ability to collect the (or at least one particular) targeted data.as for extensions, I know those are sandboxed, so most files on the entirety of the PC should be inaccessible...
but iirc, they should have access to browser-local cache files and such
(additionally, malicious extensions CAN change settings, as the excuse Opera uses for not allowing custom default search engines)
^ I can back that up, as uBlock Origin does just that (changes settings)as for apps, I'm not sure how far those could go, but I'd assume they'd have a much wider reach
(which is one reason I stopped using BitDefender Traffic Light) -
@Gwen-Dragon said in security: add the ability to disable engagement tracking:
after restart.
that's the issue though
during runtime, malicious sources can do whatever they want -
regarding website APIs
I'm not the biggest web developer, so I'm not sure what's out there
but I know JS exploits are a huge thing, and am more than certain websites are using custom APIs integrating them.
this is why I say it's vivaldi's issue.
(and it's not one I expect the up-most knowledge on, because nobody can know literally every last API built at the time of their conception, especially those built for hackers)my stance is, why are we just giving them that data?
why can't we have the option to not give them that data?
see where I'm coming from -
@AgentX so you're saying it's ok to track that data for hackers to collect if they should breach the security??
keep in mind, nothing is unhackable
also keep in mind extensions can change settings, so yes they have access to files
(a limited set of files, but the access is still there)also, I assume bonetone assumed I was talking about full unrestricted access to your PC
no, that's not what I was talking about
I'm specifically talking about access to local settings and cache data, which are part of the browser sandbox stored as files, which extensions have access to.I'm not sure if this specifically includes engagement data, though I'd assume it would as it's part of the browser cache.
-
@AgentX exactly, but to a degree
the only thing I have an issue with is what can be accessed within the sandboxthe fact that chromium-based browsers even have a sandbox is the very reason I use them.
last time I used Firefox, there wasn't asandbox, but that was before 2012 so yeah.also, sorry about putting words in your mouth
I just wanted to be sure things were made well aware of
(I've dealt with people before who completely ignored target facts like that)EDIT:
also, I run Linux which has slightly less ways to protect yourself over Windows
(granted you have to go numerous extra miles just to even make sure those protections actually work on Windows, but still)one issue of which, Linux doesn't have virus protection or HIPS
-
@AgentX actually, it was the agressive tone of your initial post that made me consider a misunderstood target of your post.
also, I wasn't meaning to insinuate you (or him) were ignoring me
I was only defending my take, I've dealt with the stuff before, so I was taking caution with that bitbut anyways, closing that discussion, yes I'm talking about what's inside the sandbox
I should probably note that in my initial post so it's more clear. -
well, as it's been almost 2 years now
have there been any flags or options added to disable these vectors to mitigate potential data collection/profiling hazards??or are users still vulnerable to potential privacy loss??
... these pages still function so I assume nothing was done?
-
I see the latest update still has engagement tracking
guess vivaldi doesn't want to be secure and allow me to disable it.
-