I was thinking about the latest issue about how missing PO (PerformanceObserver) can make an entire website disappear (Javascript deleting the content on error, etc.).
We know the core of the problem is framework requiring a "debugging" and potentially privacy-invasive features in order to work normally, effectively making an invisible tracker a necessity to use the Web. At the same time, it seems no activist for privacy et al. is making so much as a whisper about any of it.
I think, people don't realize this is a thing because they use Firefox or some Chromium derivative, both of which have POs working in full, so they do not know which sites use them; due to the extreme (and often unnecessary) breadth of the Javascript API they might even not know at all about PO's existence.
I myself don't have much of a reach inside the activism circle and this forum specifically doesn't seem to either, but I know a few users here and there do have some contacts, even just knowing the name of someone or other.
I believe it would be beneficial if anyone with enough expertise could describe the extent of PO's invasion of privacy and write a proof of concept (can be multiple people), that way a "proper" (for a lack of a better word) description of the issue can be shared as a single unit and hope someone report on it.
What do you think?
Identifying PerformanceObserver's Invasiveness
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
-
vannilla
- Moon Magic practitioner
- Posts: 2519
- Joined: 2018-05-05, 13:29
-
Gemmaugr
- Lunatic
- Posts: 417
- Joined: 2025-02-03, 07:55
Re: Identifying PerformanceObserver's Invasiveness
Well, as you can probably guess (https://forum.palemoon.org/viewtopic.ph ... 83#p266917), I'm completely for doing a write-up of this kind. Don't have the skills or connections myself either though. All I can do at most is look things up and follow red threads.
It seems this is a a default inclusion in Meta's (which is now Linux Foundation's) React site framework (https://reactnative.dev/docs/global-PerformanceObserver), and the most used site framework at 6% (https://en.wikipedia.org/w/index.php?ti ... kin=vector).
Facebook/Meta/Instragram notoriously only working properly on the latest chromium versions and FB being a part of Big Tech/GAFAM/FAANG.
React Framework can be used with React.JS, now React Router (owned by Shopify) or Vue.js (both being dependent on googles V8 javascript).
It's hailed as a competitor to Next and Node.js (which also run on googles V8 javascript engine) and even googles own Angular (V8 javascript engine).
Those are 5 of the top 8 most used site frameworks (https://www.statista.com/statistics/112 ... works-web/).
PerformanceObserver was introduced first by google in google chrome 52 in 2016/06/21 (https://caniuse.com/mdn-api_performanceobserver "date relative" tab).
Maybe the write-up should include a list of privacy-invasive API's released by google like Privacy Sandbox, FLoC, Topics, WEI, etc. It for sure needs some eye-catching term to liken it to googles similar no-cookie tracking initiatives.
Here are some sites describing what it does (though positively sadly):
https://plainsignal.com/glossary/performanceobserver
https://web.dev/articles/custom-metrics
https://github.com/GoogleChrome/web-vit ... e#overview
A good site to put out some feelers on would of course be https://news.ycombinator.com/news
It seems this is a a default inclusion in Meta's (which is now Linux Foundation's) React site framework (https://reactnative.dev/docs/global-PerformanceObserver), and the most used site framework at 6% (https://en.wikipedia.org/w/index.php?ti ... kin=vector).
Facebook/Meta/Instragram notoriously only working properly on the latest chromium versions and FB being a part of Big Tech/GAFAM/FAANG.
React Framework can be used with React.JS, now React Router (owned by Shopify) or Vue.js (both being dependent on googles V8 javascript).
It's hailed as a competitor to Next and Node.js (which also run on googles V8 javascript engine) and even googles own Angular (V8 javascript engine).
Those are 5 of the top 8 most used site frameworks (https://www.statista.com/statistics/112 ... works-web/).
PerformanceObserver was introduced first by google in google chrome 52 in 2016/06/21 (https://caniuse.com/mdn-api_performanceobserver "date relative" tab).
Maybe the write-up should include a list of privacy-invasive API's released by google like Privacy Sandbox, FLoC, Topics, WEI, etc. It for sure needs some eye-catching term to liken it to googles similar no-cookie tracking initiatives.
Here are some sites describing what it does (though positively sadly):
https://plainsignal.com/glossary/performanceobserver
https://web.dev/articles/custom-metrics
https://github.com/GoogleChrome/web-vit ... e#overview
A good site to put out some feelers on would of course be https://news.ycombinator.com/news
-
vannilla
- Moon Magic practitioner
- Posts: 2519
- Joined: 2018-05-05, 13:29
Re: Identifying PerformanceObserver's Invasiveness
Yeah, the history and high level explanation are known... but I was looking for more practical data. I'm no expert on "red team" privacy violation so I wouldn't really be able to build anything more than some hand waving explanation.