Decentraleyes is strictly speaking only useful if you’re bandwidth constrained or very worried for your privacy, but it’s a neat idea non the less.
Meddling with the security of websites by an extension is understandably not allowed under Mozilla’s policies for extensions. The wording specifically says than an extension isn’t to “Degrade the security of HTTPS sites” nor “Create or expose security vulnerabilities”.
Content-Security-Policy and block the library from being loaded.
This problem can’t be solved under Mozilla’s current extension policies of not weakening website security. Decentraleyes’s only option is to either block-and-don’t replace the library, which some users may find useful, or to allow the library to b loaded from the external CDN when it detects a strong
Content-Security-Policy. Currently, this problem results in a few broken websites here and there when using Decentraleyes.
Update (): Version 2.0.0 has been completely rewritten using the Firefox WebExtension API. However, this problem remains unresolved — and now even more website use CSP and run into problems with Decentraleyes.
So what is the privacy problem, anyway?
The privacy issue that Decentraleyes wants to fix is all about the referrer header. Like the issue I discussed last week, the HTTP referrer header can leak information about what websites you visit. A content distribution network receives requests from your web browser every time you visit any page that loads anything from them.
The most popular CDN providers thus receives a lot of signals about which webpages interest a user, even though the CDN is supposedly only providing hosting services.
It’s interesting to note that some of the free content delivery networks are provided by data brokers like Google and Baidu. EFF’s Privacy Badger extension automatically detects some of these CDNs as trackers and will automatically block them.
I hope to see a resolution to the
Content-Security-Policy problem, and to see a longer list of supported content delivery networks in future updates to Decentraleyes.