Summary: ETP strict mode performs content-blocking, which can cause breakage on many sites ranging from features like Facebook's federated logins not working, to sites not being able to load at all. This currently occurs in private browsing mode, and/or if the user has enabled the option in Firefox preferences. Shims serve as stand-ins for specific blocked resources, mimicking them well enough to un-break webpages. They additionally allow users to opt into loading the original blocked resource, on a per-resource and per-TLD basis, to allow users to (for instance) log into a specific site with Facebook by just clicking on the usual login button to open the related login popup, without having to take extra actions to allow the Facebook script and refreshing the page. This way users pick and choose which resources are allowed on which sites, to minimize what is actually allowed through ETP content blocking. Shims are shipped as part of the pre-existing webcompat system/built-in addon (not hosted remotely).
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1637329 Standard: None. The same basic concept is being used by DuckDuckGo's privacy extension as well as uBlock Origin, using the name "surrogates", but without the user opt-in concept. Platform coverage: - Desktop nightly in 81, riding to release for 82. - Android TBD (but currently aiming for the same schedule). List of shims initially enabled: - Allow federated logins with Facebook and Rambler - Fix basic site breakage related to: - Ads by Google - Ad Safe Protected's Google IMA adapter - BmAuth by 9c9media - Eluminate (coremetrics.com) - Google Analytics (and its Tag Manager and e-commerce plugins) - Google IMA3 - Google Publisher Tags - Rich Relevance Preference: extensions.webcompat.enable_shims = true|false Individual shims may also be disabled, for instance: extensions.webcompat.disabled_shims.FacebookSDK = true DevTools bug: None. A message will be logged to the web console for each shim which is active on a given page, linking to their related Bugzilla bug. Other browsers: None by default to my knowledge. but as mentioned, DuckDuckGo browser's privacy extension has a similar "surrogates" feature, as does uBlock Origin. Test coverage: Mochitests are provided for test-coverage, as this is not presently a standards-track feature, and requires tests for a system/built-in addon. Security & Privacy Concerns: Users may opt into allowing otherwise-blocked resources, as desired. This will of course thwart content-blocking, so to limit the risk the user will need to opt in on a per-TLD basis, and the web API exposed by shims (to match the original scripts being shimmed) is limited to only being allow to specific resources through ETP content-blocking on a case-by-case basis, and only if they intend to allow user opt-ins in the first place. _______________________________________________ dev-platform mailing list email@example.com https://lists.mozilla.org/listinfo/dev-platform