GNOME Bugzilla – Bug 794600
Privacy problem: Chrome Gnome Shell integration Release Notes associates profiles with each other
Last modified: 2018-03-22 19:56:32 UTC
The "GNOME Shell integration" Chrome plugin opened a browser tab that loaded https://wiki.gnome.org/Projects/GnomeShellIntegrationForChrome/ReleaseNotes/10.1 It did this simultaneously across all open Chrome profile windows. Separate Chrome profiles are intended to provide some privacy isolation between them. Load a page simultaneously from all profiles allows what are intended to be separate privacy domains to be joined together by the remote servers hosting the retrieved resources. This wiki.gnome.org page makes 20 HTTP requests to these five domains: 6 wiki.gnome.org 9 static.gnome.org 1 www.gnome.org 1 fonts.googleapis.com 3 fonts.gstatic.com I.e., requests that potentially enable profile-joining are made not just to Gnome servers, but also to Google. This feels especially frustrating because I didn't choose to install this extension -- it was installed by default somehow -- and I don't know what it does or why I would want it. I certainly don't care about reading the release notes. If this extension must open tabs for the user to read stuff, please use local URLs like chrome-extension://gphhapmejobijbbhgpjhcjognlahblep/release-notes.html that do not include remote resources.
> The "GNOME Shell integration" Chrome plugin opened a browser tab You can disable opening release notes using extension options page. > This feels especially frustrating because I didn't choose > to install this extension You did. Probably by installing chrome-gnome-shell distro package containing managed policies. Newer versions of chrome-gnome-shell does not contains managed policies.