DNS Prefetching on HTTP sites #548
Comments
This comment has been minimized.
This comment has been minimized.
Sounds like a good idea to me. |
|
Weird. In Chrome Version 74.0.3729.108 in my Manjaro this option does not exist in
|
gwarser
added
enhancement
|
It does help, but this does not address I blocked all 3rd-party scripts/frames for the test, to minimize variability across page loads. This is the results with uBO's "Disable prefetch" enabled:
The Observations from above:
|
Related issue: - uBlockOrigin/uBlock-issues#548 The fix applies only to Chromium-based browsers -- a `X-DNS-Prefetch-Control` header[1] will be unconditionally injected when uBO's "Disable pre-fetching" setting is enabled (it is by default). This is a mitigation, this does not completely fix the issue of the setting "Disable pre-fetching" being disregarded on Chromium-based browsers when sites use `preconnect`/`preload`. [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
|
For preconnect/prerender -- https://bugs.chromium.org/p/chromium/issues/detail?id=786038 |
|
Easier to watch on linux by: from https://unix.stackexchange.com/questions/43716/how-to-log-all-my-dns-queries Using OP scriptlet on example.com in Chrome 74.0.3729.108: In uBO from master "0-just-anchor" does not appear in both http and https. In 1.18.16, I see "0-just-anchor" only on http: page. |
|
So this is limited to http sites only ? I use CloudFlare D-O-H instead of normal unencrypted DNS services. |
|
@gwarser Not sure I understand what you are reporting. Is the fix good or bad? Note that I was using |
|
I tried to use CSP's
I couldn't spot any obvious flag related to this. |
|
It works. DNS prefetching for OP script uses random domains - no need to clear DNS cache. DNS requests for preload, prefetch, preconnect, dns-prefetch, prerender happen no mater what. |
chrome://flags/#enable-experimental-web-platform-features |
https://www.chromium.org/developers/design-documents/dns-prefetching
Yes, with this script you can easy test the behavior on http://example.com without problem related to DNS caching. Just inject it like a usercript|contenscript (I use Cases to test:
|
|
How does this not have more public coverage? What a nasty little "bug" (in chrome). |
|
works for hmm, ok it's not supposed to be on for 'http' sites, by default: unless, I guess the site itself sets it in headers. well, I tried this and had no effect: https://github.com/Eloston/ungoogled-chromium/issues/815
--- a/third_party/blink/renderer/core/dom/document.cc 2019-08-25 10:07:09.672360957 +0200
+++ b/third_party/blink/renderer/core/dom/document.cc 2019-08-26 10:31:41.923726592 +0200
@@ -6790,17 +6790,17 @@ void Document::DetachRange(Range* range)
}
void Document::InitDNSPrefetch() {
- Settings* settings = GetSettings();
+ //Settings* settings = GetSettings();
- have_explicitly_disabled_dns_prefetch_ = false;
- is_dns_prefetch_enabled_ = settings && settings->GetDNSPrefetchingEnabled() &&
+ have_explicitly_disabled_dns_prefetch_ = true;
+/* is_dns_prefetch_enabled_ = settings && settings->GetDNSPrefetchingEnabled() &&
GetSecurityOrigin()->Protocol() == "http";
// Inherit DNS prefetch opt-out from parent frame
if (Document* parent = ParentDocument()) {
if (!parent->IsDNSPrefetchEnabled())
- is_dns_prefetch_enabled_ = false;
- }
+*/ is_dns_prefetch_enabled_ = false;
+ //}
}
void Document::ParseDNSPrefetchControlHeader(
--- a/third_party/blink/renderer/core/loader/preload_helper.cc 2019-08-09 16:48:15.000000000 +0200
+++ b/third_party/blink/renderer/core/loader/preload_helper.cc 2019-08-26 10:32:18.751263607 +0200
@@ -135,7 +135,7 @@ void PreloadHelper::DnsPrefetchIfNeeded(
// <https://bugs.webkit.org/show_bug.cgi?id=48857>.
if (settings && settings->GetDNSPrefetchingEnabled() &&
params.href.IsValid() && !params.href.IsEmpty()) {
- if (settings->GetLogDnsPrefetchAndPreconnect()) {
+/* if (settings->GetLogDnsPrefetchAndPreconnect()) */{
SendMessageToConsoleForPossiblyNullDocument(
ConsoleMessage::Create(
mojom::ConsoleMessageSource::kOther,so that tells me, that what teh? bool has_preconnect_prediction = false;
PreconnectPrediction prediction;
has_preconnect_prediction =
resource_prefetch_predictor_->PredictPreconnectOrigins(url, &prediction) ;
// Try to preconnect to the |url| even if the predictor has no
// prediction.
has_preconnect_prediction =
AddInitialUrlToPreconnectPrediction(url, &prediction);
if (!has_preconnect_prediction)
return;
chrome/browser/predictors/loading_predictor.cc assuming chromium is ran with --enable-experimental-web-platform-features
then this is supposed to replace any specified prefetch-src values with 'none'
todo: always set this! which is why isn't working for preconnect on www.pcmag.com as per: https://github.com/uBlockOrigin/uBlock-issues/issues/548#issuecomment-524763679
--- a/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc 2019-08-26 11:27:13.200846767 +0200
+++ b/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc 2019-08-26 11:36:06.356144097 +0200
@@ -1355,7 +1355,8 @@ void CSPDirectiveList::AddDirective(cons
if (type == ContentSecurityPolicy::DirectiveType::kRequireSRIFor) {
ParseRequireSRIFor(name, value);
} else if (type == ContentSecurityPolicy::DirectiveType::kPrefetchSrc) {
- SetCSPDirective<SourceListDirective>(name, value, prefetch_src_);
+ static const String none=* new String("none");
+ SetCSPDirective<SourceListDirective>(name, none, prefetch_src_);
} else {
policy_->ReportUnsupportedDirective(name);
}and tried other stuff but nothing. tried "'none'" too!
diff --git a/src/js/traffic.js b/src/js/traffic.js
index ac77e0e0..00a98a4a 100644
--- a/src/js/traffic.js
+++ b/src/js/traffic.js
@@ -836,6 +836,8 @@ const injectCSP = function(fctxt, pageStore, responseHeaders) {
}
}
+ builtinDirectives.push("prefetch-src none");
+
if ( builtinDirectives.length !== 0 ) {
cspSubsets[0] = builtinDirectives.join(', ');
}ok we're getting somewhere, by starting chromium with ok well, fixed by: --- a/chrome/browser/predictors/preconnect_manager.cc 2019-08-26 14:08:51.054928230 +0200
+++ b/chrome/browser/predictors/preconnect_manager.cc 2019-08-26 14:09:00.778805985 +0200
@@ -105,6 +105,7 @@ void PreconnectManager::StartPreresolveH
void PreconnectManager::StartPreresolveHosts(
const std::vector<std::string>& hostnames) {
DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+ return;
// Push jobs in front of the queue due to higher priority.
for (auto it = hostnames.rbegin(); it != hostnames.rend(); ++it) {
PreresolveJobId job_id =
@@ -120,7 +121,7 @@ void PreconnectManager::StartPreresolveH
void PreconnectManager::StartPreconnectUrl(const GURL& url,
bool allow_credentials) {
DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
- if (!url.SchemeIsHTTPOrHTTPS())
+// if (!url.SchemeIsHTTPOrHTTPS())
return;
PreresolveJobId job_id = preresolve_jobs_.Add(std::make_unique<PreresolveJob>(
url.GetOrigin(), 1, allow_credentials, nullptr));hopefully nothing else that I forgot. |
Description
This issue is on bugs.chromium.org: https://bugs.chromium.org/p/chromium/issues/detail?id=955588
Visiting of HTTP hosted sites causes DNS Prefetching of all links inside the HTML document: all
hrefof<a>and<link>tags.Though HTTP is non-encrypted connection, I would prefer do not have such behavior of the browser.
In case, if you use HTTPS proxy for connection to a HTTP hosted site (and block downloading of all third party elements) you can have the private channal between you and the proxy:
[You - ISP - Internet - Proxy] - Internet - HostBut behavior of the browser performs DNS Prefetching of all links inside the document even you does not connect to them. And it breaks privacy of this channel.
But: In incognito mode this does not happens, except
<link rel="prerender" href="...">I (and you) can disable DNS Prefetching of
<a>tags by inserting HTTP Response Header"x-dns-prefetch-control": "off". It works. Can you add this functional? I have tested it via ModHeader extension.uBO allow to block DNS Prefetchinf of the next:
<link rel="preload" as="..." href="..."><link rel="prefetch" href="...">when
"href"of<link>is domain that blocks by uBO.But these:
<link rel="preconnect" href="..."><link rel="dns-prefetch" href="..."><link rel="prerender" href="...">(this "works" even in incognito mode)cause DNS Prefetching even uBO blocks the domain containing in
"href"attribute of these<link>.Is it possible to work around it?
The useful userscript for testing:
A specific URLs where the issue occurs
http://*/*For example: http://example.com
Steps to Reproduce
Disable pre-fetching (to prevent any connection for blocked network requests)in uBO{})href) in<a>,<link>tags was DNS resolved.Expected behavior:
DNS resolving should happen only for domains of resources that were downloaded.
Actual behavior:
All
hrefin<a>,<link>tags was DNS resolved.Your environment
The text was updated successfully, but these errors were encountered: