Payment Request API | W3C

Payment Request API; W3C; 2017-09-21.

  • Adrian Bateman, Microsoft Corporation
  • Zach Koch, Google
  • Roy McElmurry, Facebook
  • Domenic Denicola, Google
  • Marcos Cáceres, Mozilla


WebRTC and STUN for intra-LAN exploration & end-user tracking


  • WebRTC, promotional site
  • Availabilities
    all the browsers that matter

    • Android
    • Chrome (Linux, Android, Windows)
    • Firefox
    • Opera
    • Safari (iOS)




  • RFC 7350Datagram Transport Layer Security (DTLS) as Transport for Session Traversal Utilities for NAT (STUN); Petit-Huguenin, Salgueiro; IETF; 2014-08.
  • RFC 7064URI Scheme for the Session Traversal Utilities for NAT (STUN) Protocol; Nandakumar, Salgueiro, Jones, Petit-Huguenin; IETF; 2013-11.
  • RFC 5928Traversal Using Relays around NAT (TURN) Resolution Mechanism; Petit-Huguenin; IETF; 2010-08.
  • RFC 5389Session Traversal Utilities for NAT (STUN); Rosenberg, Mahy, Matthews, Wing; IETF; 2008-10.

    • RFC 3489STUN – Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs); Rosenberg, Weinberger, Huitema, Mahy; 2003-03.

In Jimi Wales’ Wiki.



In archaeological order


665909webrtc WebRCT Tracking; In Bugzilla of Mozilla; 2011-06-21 →2016-01-11; Closed as INVALID

Some droid using the self-asserted identity token cchen; How to Stop WebRTC Local IP Address Leaks on Google Chrome and Mozilla Firefox While Using Private IPs; In Privacy Online Forums; 2015-01→2015-03.


  • Availability
    of the problem (not of WebRTC in general)

    • Chrome of Google
      • Windows
    • Firefox of Mozilla
      • Unclear, perhaps Windows only
    • Internet Explorer of Microsoft
      WebRTC is not available at all.
    • Opera of Mozilla
      • Unclear
    • Safari of Apple
      WebRTC is not available except through a plugin
    • Unavailable
      • Chrome of Google
        • OS/X
        • Android
      • Linux at all
        not clear; not mentioned at all.
  • Blocking
    • Chrome of Google
    • Firefox of Mozilla
      • Production
        • about:config
        • media.peerconnection.enabled set to true (default true)
      • Development

        • Canary
        • Nightly
        • Bowser
    • Opera of Opera
  • API Directory
    • voice calls
    • video chats
    • p2p file sharing


  • Chrome
    default is available and active
  • Firefox
    • about:config
    • media.peerconnection.enabled set to true (default true)
  • Opera
    only when configured, with a plugin, to run Google Chrome extensions


webrtc-ips, a STUN & WebRTC test rig

  • diafygi/webrtc-ips
  • via on-page JavaScript, makes latent requests to certain STUN servers.
  • Firefox 34 → Does. Not. Work.
  • Fails with
    Error: RTCPeerConnection constructor passed invalid RTCConfiguration - missing url webrtc-ips:58


  • Private Internet Access (PIA)
  • Real-Time-Communication (RTC)
  • Virtual Private Network (VPN)
  • WebRTC


In Privacy Online Forums:


  • 2013
  •  Since WebRTC uses javascript requests to get your IP address, users of NoScript or similar services will not leak their IP addresses.

Via: backfill.


  • about:config
  • media.peerconnection.enabled set to true (default true)

HOWTO Disable HTML5 Video Autoplay in Firefox

media.autoplay.enabled = false [default true]

Does not work until Firefox 41:

  • 1242713media.autoplay.enabled=false does not prevent videos on youtube to autostart; In Bugzilla of Mozilla; 2016-01-25→current.; still open.
    tl;dr → describes Firefox 42, on Linux.
  • 659285Extend media.autoplay.enabled to provide a way to disable untrusted play() invocations; In Bugzilla of Mozilla; 2011-04-24→2016-01-25; resolved as fixed.

Brave (browser)

Brave (browser)


  • Available
    • no
    • circa v0.7
    • assemble the sources yourself
    • closed beta program.
  • Cultures
    • Linux
    • Mac (OS/X)
    • Windows (sic)
    • Android
    • iPhone (iOS)
  • Basis
    • Chromium → Linux, Mac, Windows
    • iOS → Firefox for iOS
    • Android → Bubble (linkbubble)
  • linkbubble
  • Funding
    • $2.5 million
    • Unnamed individuals
      “angel” investment.
  • Features
    • Known
      • HTTPS Everywhere add-on
    • Expected, not declared as existing
      • a UI
      • cross-platform sync
      • incognito mode
      • password manager



  • Mozilla co-founder unveils Brave, a Web browser that blocks ads by default; ; In Ars Technica; 2016-01-21.
    Teaser: … but Brave then replaces blocked ads with its own ads, taking a 15% cut of revenues.

    • <quote>In practice, Brave just sounds like a cash-grab. Brave isn’t just a glorified adblocker: after removing ads from a Web page, Brave then inserts its own programmatic ads</quote>
  • Brendan Eich Launches Brave New Browser Ian Elliot; In I Programmer; 20165-01-20.
    Teaser: Brendan Eich, the man who invented JavaScript and the co-founder of Mozilla, has just launched a new browser called Brave. Is this a Firefox fork?

Via: backfill.

On the path to the deprecation, abandonment & refusal to honor SHA-1 signatures


  • Chrome will completely stop supporting SHA-1 certificates, soon
    • on or before 2017-01-01 (after 2016-12-31).
    • but maybe 2016-07-01 (after 2016-06-30).
  • Chrome will exhibit a warning if

    • a site presents a certificate
    • the site’s certificate

      • is signed with a SHA-1-based signature
      • is issued on or after 2016-01-01 (after 2015-12-31)
      • chains to a public CA.
  • Chrome 48
    due “early in 2016″.


  • Lucas Garron, Chrome security team, Google.
  • David Benjamin, Chrome’s networking group, Google.



  • Ryan Sleev; A History of Hard Choices; On His Blog, at Medium; 2015-12-28; separately noted.
    Ryan Sleev, cross-platform crypto & PKI core, Chromium, Google.


Unsanctioned Web Tracking | W3C

Unsanctioned Web Tracking, Finding, Technical Architecture Group (TAG), W3C,

This Version:
Latest Version:
Latest editor’s draft:
work site
Mark Nottingham


Section 5


  • Finds that unsanctioned tracking is actively harmful to the Web, because it is not under the control of users and not transparent.
  • Believes that, because combatting fingerprinting is difficult, new Web specifications should take reasonable measures to avoid adding unneeded fingerprinting surface area. However, added surface area should not be a primary factor in determining whether to add a new feature.
  • Asserts that when a new feature does add fingerprinting surface area, it should be documented as such.
  • Finds that new local storage features and other potential tracking mechanisms should maintain and interoperate with existing user controls.
  • Encourages browser vendors to expose appropriate controls to users who wish to minimize their fingerprinting surface area.
  • Acknowledges that despite best efforts, technical solutions to unsanctioned tracking are not able to completely prevent its use by a determined adversary. Instead, our focus should be on making sure that unsanctioned tracking does not become “normal” on the Web.
  • Encourages policy makers to be aware that unsanctioned tracking may introduce privacy, security and consumer protection concerns within their jurisdiction, and to consider appropriate action.



Light on the definition of the effect (what is ‘unsanctioned tracking’?).  This seems to be enumerated in Sections 1 & 2 as:

  • unsanctioned web tracking → is the inverse of standards-defined tracking.
  • standards-defined web tracking→ interpreted as
    • Technologies
      • HTML4 State (Cookies)
      • HTML5 Web Storage
    • Acceptable pattern of use
      • Pixels (GET of zero-sized, no-op, documents [images])
      • Consumer-visiblity affordance
      • Consumer-visible opt out signalling.
    • Acceptable product features & business models
      • shopping carts
      • persistent site preferences
      • behavioral advertising
      • [unclear the list is closed or open]

Not Mentioned

  • Advertising Identifiers, e.g. IDFA, GPSAID
  • Geofencing, geo-behavioral identification.


Appendix A

A. Barth. HTTP State Management Mechanism. 2011-04. Proposed Standard. URL:
Butler W. Lampson. A Note on the Confinement Problem. In Communications of the ACM; Volume 16, Number 10; 1973-10; 5 pages.
Yossef Oren; Vasileios P. Kemerlis; Simha Sethumadhavan; Angelos D. Keromytis. The Spy in the Sandbox – Practical Cache Attacks in Javascript.; previously filled.
Universal Declaration of Human Rights.
Ian Hickson. Web Storage (Second Edition). 2015-06-09. W3C Candidate Recommendation.


Linked within the document; in order of appearance



This is a straw man, a red herring, a toy argument.  The elements cited are substantially fringe techniques in any case, but that not withstanding.  There is no such category as unsanctioned tracking.  All in-industry tracking&targeting is done under consumer consent, with agreements voluntarily entered-into with full presentment of Notice & the availability of affordance of Choice subject to the stated Terms & Conditions of the owner of the (entertainment) service which being delivered unto the consumer for their enjoyment.  There is no other kind of trak-N-targ except under consumer consent; it simply doesn’t exist, it can’t exist by definition.  Acceptance of the T&C contract is by adhesion and the consumer’s remedy upon inability to accept the T&C is to leave the area [leave the internet].  For fun, here is a publisher who makes this framework very clear: <quote>If you don’t agree to the terms contained in this User Agreement and Privacy Policy, you must immediately exit the Service.</quote>

California Privacy Policy; At Condeé Nast, in force at Ars Technica; 2014-01-02 → 2015-07-17 (present).

Via: backfill

Tracking Protection in Firefox for Privacy and Performance | Kontaxis, Chew

Georgios Kontaxis (Columbia), Monica Chew (Mozilla); Tracking Protection in Firefox for Privacy and Performance; In Proceedings of the Web 2.0 Security and Privacy (W2SP); 2015-05-23; 4 pages; copy, slides (18 slides).


We present Tracking Protection in the Mozilla Firefox web browser. Tracking Protection is a new privacy technology to mitigate invasive tracking of users’ online activity by blocking requests to tracking domains. We evaluate our approach and demonstrate a 67.5% reduction in the number of HTTP cookies set during a crawl of the Alexa top 200 news sites. Since Firefox does not download and render content from tracking domains, Tracking Protection also enjoys performance benefits of a 44% median reduction in page load time and 39% reduction in data usage in the Alexa top 200 news sites.


  • Mozilla Firefox
  • Configuration
    • about:config
    • privacy.trackingprotection.enabled=true
  • Release
    • Firefox Nightly
    • Firefox 35
    • Not committed for any production release?
  • Development
    • 1029886tracking bug for tracking protection
  • Architecture
    • curated blocklist
    • Disconnect’s list (not EasyList)
    • (Google) SafeBrowsing API
  • Features
    • Cookie Blocking
    • Beacon Blocking
  • Justification
    • Performance (page latency reduction).
    • Sotto voce, surveillance blocking.
    • Sotto voce, ad blocking.
  • Threat Model
    • <quote cite=”ref” page=”2″>Our adversary is a powerful billion-dollar online advertising and social networking industry</quote>
  • trackingprotectionfirefoxat some github.
  • Performance claims
    • some telemetry
    • some simulation


Somehow solving similar problems.



Archaeological order…




Wandering, moot, through the naïvete of the chain of reasoning here, flow with it.


Authors = <quote cite=”ref” page=”4″>

Finally, browser makers bear tremendous responsibility in mediating conflicts between privacy interests of users and the advertising and publishing industries. Tracking Protection for Firefox is off by default and hidden in advanced settings. We call upon Mozilla, Microsoft, and other browser makers to make tracking protection universally available and easy to use. Only then will the balance of power shift towards interests of the people instead of industry.



Greybeard = <moot>

Browser makers can’t have it both ways here.  They can’t be “common carriers” who make net-neutral and nework-neutral consumer premises equipment (CPE) as pure-play suppliers the media trade and also be the arbiters of the rights, rules and procedures of that industry without also entering that industry as a primary; i.e. as a publisher which owns a venue and manages an audience, which, as busking, is a fine and honorable vocation with a long and storied tradition dating back to the earliest ages.  Indeed Firefox Sponsored Tiles.

Hiding such intervention capability in the “advanced settings” doesn’t ameliorate the conceptual error here. The terms of the trade have always and ever been between the publisher and the advertiser. The consumer (which is you, dear reader), as a catalyst of the relationship, is party to this activity only insofar is the terms of the publisher-advertiser business arrangement specify that the publisher is able to deliver any quantifiable action, generally, quantifiable attention, of the consumer (which, to remind, is you, dear reader) to the advertiser under the terms of their bilateral deal (common commercial terms being: CPM, CPC, CPA, etc.).  The consumer’s consent being entailed by virtue of having received media from the publisher in the first instance.

As for your part of this, you are a consumer, and only that.  As the appelation implies, you don’t own the creative product that you’re enjoying, you never did, you never will. Your rights are limited to personal experience under the stated terms.  Otherwise, by convention, broader allowances would had to have been granted to you in an expression, an explicit writ. Your activities with regard to blocking publishers trading with advertisers in order to petition them to change their business practices as you experience them is a project that is, at best, fraught with contradictions and complications. To want to change the legal framework of creative product ownership & delivery is a tall order and would necessarily have implications in other areas of the media business.  The law is pretty clear on the countervailing point.  Namely, that the publisher owns the media, as they created it. They are purveying it under terms set forth. The media is licensed to you, and performed for you, even when on equipment that you own, for the sole purpose of your private enjoyment as an individual.  During your experience of the work, you do not receive any other rights, such as the right of derivation, summarization, retransmission, republication, public performance, etc.  These conditions adhere to you by your presence in the experience as a consumer unit. You are necessarily subject ot the Terms & Conditions set forth at the time the media was administered to you.  Indeed the whole foundation of the Creative Commons and Open Source licensing is centered upon this point.



Activist = <moot2>

Yet “we” build, “we” own & “we” operate the CPE. These HTML5-JS-CSS3 browser media-players are “ours.”  We are the web!  Unlike print, OTA TV or radio media where the players are locked down. We build CPE; we block as we like. This cannot be stopped.



Publisher = We parry and invoke EME, CDM, DRM & block you with DMCA. Like we do with video. QED.

Via: backfill.

Spamness for Thunderbird (requires a folder rebuild)

Spamntess for Thunderbird: (sometimes) Does. Not. Work.  But if it did, it would be great!

Sees to work on some folders, but not on others.  Even with the folder rebuild. But, specifically, it isn’t working with inbox where  it is needed the most (because after inbox you have, by definition, refiled the mail so you pretty much know whether it’s spam or not).


Recall that Thunderbird is consciously uncoupling from Mozilla (long live Thunderbird!).
c.f. Thunderbird Reorganizes at the 2014 Toronto Summit; In Their Blog; 2014-11-25.

Pure URL for Firefox removes garbage like ‘utm_source’ from URLs

Pure URL for Firefox


More than the default settings (cut & paste this into) the config settings in about:addons

utm_cid, smprod, smid,it_source,wpmp_tp, utm_hp_ref,mod,tag,mbid, mtid,ncid,utm_cid,utm_source, utm_medium, utm_term, utm_content, utm_campaign, utm_reader, utm_place, ga_source, ga_medium, ga_term, ga_content, ga_campaign, ga_place, yclid, _openstat,, fb_action_ids, fb_action_types, fb_ref, fb_source, action_object_map, action_type_map, action_ref_map,,,,,

InContext 2014

InContext 2014 by EverythingMe.

On the notion of context and anticipation of needs in & around a device class that has no keyboard and lives with you.


video; 48:47; slides

Benedict Evans, Andreesen Horowitz
Q&A with Benedict Evans faciliated byTim Draper (he plays John Battelle in this vignette)

  • Recites the boring statistics,
    • up-and-to-the-right,
    • explosive growth,
    • gosh it’s really big,
    • <gee whizz!>
  • He compares
    • Yahoo 1996 to App Store 2014; replaced by Google (unstructured search)
    • Web vs Internet; the web is all “the internet does”
    • Mobile is pre-pagerank”
  • What happens in 5 years
    • He doesn’t know
    • Android (in 5 years)
    • Coding languages (in 5 years)
    • iBeacon
    • Access vs owning
  • Strategies
    • Apple: top down the stack (from control of the supply chain)
    • Google: up the stack (from hardware fragmentation)
  • Strategies
    • I know what I want => Google
    • I’m bored => Facebook, BuzzFeed, etc. etc.
    • Demand Generation => empty
  • Smart(phones)
    • Are inherently social
    • Take away “winner take all”
  • Cards as content packages
    • Can be shared
    • Can be syndicated
    • Contradiction:
      • Atomised Content
      • App Silos
  • What’s Already Known
    • Contacts
    • Calendar
    • Apps frequently used
    • Travel patterns
    • etc.
  • Context
    • Google Now
    • or other similar things
  • But
    • The Filter Bubble
    • The Uncanny Valley
  • Something about ‘Ecosystem Cohorts’
  • Neither Apple nor Google “will win”; ther is no “winner take all” dynamic.


  • Some generalized whining
    • that intent and preference prediction won’t work;
      story about Pandora from Tim Draper.
    • that Google Now is ‘closed’ to (his) startups.
  • Unclear that a human butler (ahem, “life coach”) could live achive these standards.
  • Something about the music industry
    • It’s a distribution business
    • A quote from Mic Jagger about musicians not being paid 1970s-1995, not before, not after.
  • Draper on tablet vs PC
    • Tablet is for reading (&deleting)
    • PC is for creating

Bytes of Context

video; 25:42

  • Andreas Gal, Mozilla,
  • Andy Grignon, Quake Labs/Eightly, moderator
  • Andy Hickl, A.R.O,
  • G D Ramkumar, Swell.
  • Dave Smiddy, Alohar.

Global Context

video; 28:27

  • Josh Constine, TechCrunch, moderator
  • Brendan Eich from Mozilla,
  • Seth Sternberg from Google,
  • Ami Ben David from EverythingMe.

Mozilla Product Announcement

video; 29:52

  • Ami Ben David, Co-founder and Head of Strategy and Marketing at EverythingMe,
  • Andreas Gal, VP Mobile at Mozilla.

Firefox Launcher for Android by Mozilla

Wearables in Context

video; 33:08

  • Peter Berger, People+,
  • Christina Farr, VentureBeat,
  • Monisha Perkash, LUMO,
  • Rackspace’s Robert Scoble, moderator
  • Redg Snodgrass, Wearable World.

Via: backfill

Click-to-Play in Mozilla’s Firefox


Via: backfill, backfill

, Mozilla Wiki

; In Mozilla Support

Lightbeam for Firefox



  • Visualizations
    1. Graph
    2. Clock
    3. List
  • Sharing
    • Data stored locally




Via: backfill


Mozilla Firefox Social API in Firefox Facebook Messenger (and others)


Turn Off Facebook ServiceDisable Facebook Service




  • Control Messages
  • Service Works
  • Ambient Notification Control
  • Active Notification Control
  • Page Marks (Recommendations)
  • Link Recommendation Control
  • Messages Sent to Widgets
  • from Firefox 23
    • Share (button)
    • Service Discovery


By Mozilla …


Ahem … surely there’s more of a following for Mozilla’s product offerings than one beat reporter over at AOL (TechCrunch).  But that’s not what the search engines are telling me…




Mozilla Prospector is User Personalization Built Into the Browser

Prospector by Mozilla Labs


What is It?

  • Seems to be a concept, a vision.
  • A set of collaborations with publishing businesses.
  • A solicitation of feedback, a call for a vote of confidence in the vision.

Not yet

  • Running code
  • Released feature set
  • An experience
  • Not yet at the wireframe/screen shot stage.


  • Content preferences managed in the browser
  • Content targeting preferences communicated to web servers (e.g. advertisers)
  • Service destinations, e.g. Firefox Marketplace, could recommend based on declared interests.


  • <quote><snip/>we’ve begun testing this concept with volunteer participants<snip/>sharing their interests on their own terms in order to see personalized content, and the results are promising.</quote>
  • <quote>We think this type of offering could bring transparent, effective personalization to users all across the Web in ways we haven’t even thought of yet. What do you think <snip/>? </quote>




Via backfill, backfill, backfill and noted.