add panel for email fields to link to relay

[groovecoder]

@maxxcrawford just an idea right now ... couple things I noticed that I might need help with ...

• The panel pops up when you select any email input field - should we make it only pop up when someone clicks the fence badge?
• The fence badge in the email input field conflicts with the relay badge in the email input field if both are installed. Any way to detect the relay badge and remove the fence in that case?
• Probably more I haven't thought of?

[maxxcrawford]

• Should we make it only pop up when someone clicks the fence badge? Yes. Esp. since this is new behavior, there's a chance users could uninstall (as it doesn't explicity offer funcitonality for containing Facebook). I would recommend blocking this feature for the settings panel (Add Options/Settings Page Functionality  #721), to give users more control over this feature.
• The fence badge in the email input field conflicts with the relay badge in the email input field if both are installed. Any way to detect the relay badge and remove the fence in that case? Yes. We already do detection for users who have M-AC installed.

I also recommend revising the language to allow for easy dismissal. Adding an extra check box to dismiss this promo entirely.)

[groovecoder]

@maxxcrawford - updated to only show the pop-up on badge click, and DON'T show the badge if Relay is already installed.

This changes detectFacebookOnPage into an async function that awaits the call to the background script to see whether the Relay add-on is enabled. But the performance hit should be minimal, as the other patternDetection calls run regardless? Or have I forgotten how async/await performance works?

[maxxcrawford]

Testing steps:

(New/fresh browser)

Test 1: Email fields displays FBC badge icon

• Go to https://www.kickstarter.com/login
• Expected: Email field has a FBC badge icon.
• Click on the Email badge.
• Expected: Try Relay prompt is visible with the "Don’t show me this again" checkbox UNCHECKED.

Test 2: After installing Relay Add-on, email fields does not display FBC badge icon

• Download Relay Add-on
• Go back to to https://www.kickstarter.com/login
• Expected: Email field no longer has a FBC badge icon.

Test 3: After uninstalling Relay Add-on, email fields displays FBC badge icon

• Remove Relay Add-on
• Go back to to https://www.kickstarter.com/login
• Expected: Email field has a FBC badge icon.

Test 4: After clicking "dismiss" button on the Relay prompt, the FBC badge icon is removed

• Click on the Email badge.
• Expected: Try Relay prompt is visible with the "Don’t show me this again" checkbox UNCHECKED.
• Click on "Dismiss"
• Expected: The prompt is closed and the FBC badge icon is removed

Test 5: After clicking "dismiss" button on the Relay prompt, the FBC badge icon is removed

• Click on the Email badge.
• Expected: Try Relay prompt is visible with the "Don’t show me this again" checkbox UNCHECKED.
• Click on the "Don’t show me this again" checkbox
• Click on "Dismiss"
• Expected: The prompt is closed and the FBC badge icon is removed
• Reload the page
• Expected: Email field no longer has a FBC badge icon.

[groovecoder]

Code LGTM and works well.

@flodolo - can you check our strings?

[maxxcrawford]

LGTM to me too! 🤝

[conartist6]

Hi, I'm finding this PR after seeing this feature in the wild and I'd like to know more about the security/privacy background behind it. As a disclaimer I formerly worked for facebook, though I bear them no particular good will. My question is: is there a concrete threat here? If so where could I find discussion of it? The message specifically discusses facebook (I guess because this is because this is a plugin about facebook) but really as far as I can tell it all it means is that if you give anyone your email they have your email, and may use it to look up additional data about you.

Now the Firefox Relay service certainly can solve that problem, though of course it's not a silver bullet since there are still browser fingerprinting approaches to contend with. But Relay has nice graphic design, promises to provide something for nothing... uh oh, actually that makes me a bit suspicious! Won't they have to monetize it eventually to cover their costs if it's really successful? Wouldn't that make this warning kind of more like an unsolicited advertisement injected into every page?

And in advance, sorry. I appreciate everything the collabs here have built, and I very much believe that people should have the right to contain facebook (or Amazon or Microsoft, etc). I just like reserve a healthy dose of suspicion, and I think that the people trying in good faith to help ignorant users need to take extra care to be sure they are really educating. What in my mind might address the problem (in the long term) is offering a way to breakdown and provide context on privacy policy legalese so that users could decide for themselves whether they trust any given site with their (real) data, at which point it would be reasonable to offer ways to safeguard your identity when interacting with untrusted sites.

[dveditz]

The original implementation showed too often, which was corrected in #784. The worry is not that you're giving your email to some random site which might then pass it along in the backend (it can, many do), but specifically when the page has facebook scripts. If you're trying to "Contain Facebook" so they can't track you, you don't want facebook using your email address to correlate your activities outside the Facebook jail (container) with your facebook account.

[conartist6]

@dveditz So to be clear you're telling me that facebook scripts will scrape form inputs for my email address?

I'm looking at developer docs for the facebook pixel and it does seem that it would be possible for the authors of the site embedding the pixel to send email address as part of the pixel, but as far as I can tell that just becomes unused metadata about an event.

I still don't understand if this is a reaction to a particular threat or policy, or if it's just warning you of what's in the realm of possibility.

[dveditz]

I don't work on Facebook Container nor our general anti-tracking efforts so I don't have a specific answer to that question or what Facebook Container is specifically claiming.

I do know we have identified many tracking scripts that harvest emails, but I don't know if Facebook scripts are among them. We also know that Facebook gathers information about non-users ("shadow profiles") and buys information from data brokers, some of whom are the ones doing the email harvesting.