With Firefox 43 we have the possibility to natively disable known trackers. With the new privacy protection mode you can do more than you think. An experiment worth trying.

I’ve been experimenting quite a lot with Firefox’ new tracking protection recently. It revealed some quite interesting things about where we’re at in the web. Unfortunately, it’s not as good as you might think and here’s why.

You might have heard that Facebook has introduced 2G Tuesdays to make developers aware of the performance implications. We can do this in many more occasions, one of them is emulating package loss with mobile data, another one ad-blocking. And as ad-blocking and privacy-extensions are on a quick rise currently with native solutions coming up as well, we should consider this a common use-case for our products we build.

Here’s how you can enable it:

Grab it as gif here [33MB]

What does this mean? I can only encourage you enable Firefox’ Privacy Protection Strict Mode at last one day per week and see what works and what doesn’t. You might not think that it has much impact but in fact, the web is very broken. Many applications require jQuery from the Cloudfront service which is on the Disconnect block list. If you now have your own JavaScripts not on Cloudfront it can’t find $ as jQuery is blocked. If you have your JavaScript and CSS on Cloudfront as well, all these resources are blocked, too.

I can conclude that most problems I found occurred with SPAs. Trello couldn’t provide a login anymore, Todoist does show a blank page (not even their website is available anymore), and many other applications and websites are at least without JS and CSS, some without any content. The most common error besides using cloudfront.net hostnames for their assets was that they rely on some external JavaScript variables and don’t test for it, causing the whole JavaScript to break in case the 3rd party script was blocked.

You can avoid this by doing a few things:

• If you use Cloudfront, make sure to use a custom HTTPS certificate, and thus, a custom hostname that isn’t blacklisted. This doesn’t fix the root issue that Cloudfront tracks the user (statistics), but at least the app is still usable.
• Reduce the Single Point of Failure using Service Workers.
• Be sure to read this article on Third Party Content in an HTTP/2 and ad blockers world by Yoav Weiss.
• Always test if a variable exists, and if not, don’t let it break your entire JavaScript. Especially when your app is relying on JavaScript.
• Never (ever!) rely on the availability of any third-party (also not on an external CDN). Your app should work without it and you should have a backup plan when a 3rd party you rely on is not available.