Here are some Tor privacy controls that might be a bit hard to ship by default:
1) Various navigator.* APIs all claim you're on Windows. Some people on non-Windows platforms may have issues with this.
2) Various window-sizing APIs lie about sizing, so pages that use them will end up making windows too small for their content.
3) Geolocation is disabled altogether.
4) The performance API is effectively disabled (claims pretty much everything took 0 time).
5) Media queries on the device pixel ratio lie and claim it's 1, no matter what it actually is.
6) All timing functions are clamped to the nearest 100ms. That means Date.now(), performance.now(), etc. If nothing else, shipping this by default will make all benchmark results _very_ weird.
There's also various other functionality that gets disabled (gamepad API, orientation API, etc, etc). These are generally not used much yet, so might be ok to remove, if people think these should actually not exist as web APIs.
1) So make a request that Tor-like functions tell servers that our OS is Ubuntu. Perhaps I'm obtuse here, but who gives a darn if it's a matter of privacy - isn't the issue to hide under the most common OS?
2) So we send (through a Tor-backed PGP/GPG-encrypted message) a message saying "hey dev.dork, your minimuum window size is unrealistic".
3) Yay!
4) Yay!
5) And...? maybe it'd be wise to declare 4:3, but otherwise I see no issue.
6) Well, obviously we should have a button of "This page is requesting private data - Share for this page load? Y/N"
And I really, really don't mind if literally everything called an "API" were to go out the bloody window. Sure, it's throwing the baby out with the bathwater, but there's too much bathwater and the baby's a squalling jerkface anyhow.
> Perhaps I'm obtuse here, but who gives a darn if it's a matter of privacy
Some sites actually work incorrectly (e.g. keep giving you an .exe to download instead of something you can actually use) if they think you're on Windows when you actually aren't. I'm not saying this is good practice, just that people do it.
> So we send
Normal users don't do that. Remember, we're not talking about a "privacy mode you can enable", but a "privacy mode that is shipped by default out of the box". Obviously for an opt-in mode things are simpler.
> 3) Yay!
Turns out some sites break without geolocation. Again, not saying it's a good idea, but it is what it is.
> 4) Yay!
Just so you understand, the next likely step is Facebook blocking your browser.
> 5) And...? maybe it'd be wise to declare 4:3, but otherwise I see no issue.
Um... I don't think you understand what device pixel ratio is. This is the ratio of CSS to device pixels. Aka "is this a high-dpi screen", aka "which images should actually be used to look nice?
> 6) Well, obviously we should have a button of "This page is requesting private data - Share for this page load? Y/N"
So every page that uses performance.now() (hint: pretty much everything) would have this thing appear? Again, remember that we're talking about a default mode here. Do you really think this is the experience most users are looking for?
I really think you're talking about a quite different situation (opt-in privacy mode) than the one I was responding to...
I'd be happier with a more private experience, at whatever cost it takes. As far as device pixel ratio, when I think of pixel ratio, I think of 4:3, 16:10, etc. Frankly, loading larger images means more data sent and received, which in turn gives the website longer to attempt to inject tracking data through EXIF or whatnot. Frankly, disabling off-page CSS wouldn't bother me either unless somehow we'd be able to show different "user instances" to the server when we request the CSS sheet from one part of the server compared to the one where we render the page we actually want.
If sites break because people control their web experience, then one of two things will happen:
1) People who are not security-focused will switch to Chrome, which is what's already happened. So focus on a specific group and push the edge-case agenda with both the browser product and an ongoing marketing budget.
2) People will become aware of what webpages are demanding by default and just how little respect these groups have for their privacy - and have a means to fight back through browser selection.
I'm willing to accept that there will be the need for certain opt-out options because some people are going to actually want to give up private data, for purposes of online shopping, online banking, etc.. I want it default closed down, but again, I accept that most people aren't focused on it.
> People who are not security-focused will switch to Chrome, which is what's already happened
No, it hasn't. And I think explaining to people exactly why a web page expecting Date.now() to work is somehow demanding something and invading their privacy is a pretty tough job. Like "requires reading academic papers to understand why it could be a problem" tough.
So what you're basically suggesting is that Firefox resign itself to being an extremely niche browser. I don't think that really aligns with Mozilla's goals, for what it's worth.
1) Various navigator.* APIs all claim you're on Windows. Some people on non-Windows platforms may have issues with this.
2) Various window-sizing APIs lie about sizing, so pages that use them will end up making windows too small for their content.
3) Geolocation is disabled altogether.
4) The performance API is effectively disabled (claims pretty much everything took 0 time).
5) Media queries on the device pixel ratio lie and claim it's 1, no matter what it actually is.
6) All timing functions are clamped to the nearest 100ms. That means Date.now(), performance.now(), etc. If nothing else, shipping this by default will make all benchmark results _very_ weird.
There's also various other functionality that gets disabled (gamepad API, orientation API, etc, etc). These are generally not used much yet, so might be ok to remove, if people think these should actually not exist as web APIs.