blob: ec73612db69308306fbb1c066c21d001910c7550 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
# Using Oblivious HTTP in Firefox on Glean
[Oblivious HTTP (RFC 9458)][ohttp-spec]
is an Internet standard transport that permits a separation of privacy concerns.
A client sending an HTTP(S) request necessarily exposes both
their network address and the request's contents to the destination server.
OHTTP allows, through the introduction of encapsulation and a relay,
for a system by which a third-party relay may learn only the network address and not the contents,
and the server may learn only the request contents and not the network address.
This can be a useful risk mitigation for data collections we do not wish to associate with an IP address.
## Can I use OHTTP for my Data?
Any data collection that meets the following criteria can use OHTTP:
* Your data must be solely collected on Firefox Desktop
* At this time, no other Mozilla project supports OHTTP.
* Your data must be recorded via Glean.
* It is the sole data collection system at Mozilla that supports OHTTP.
* Your data must be in its own [custom ping][custom-ping-doc].
* OHTTP is a transport-level decision and pings are Glean's transport payload.
* Your data (like all new or expanded data collections in Mozilla projects)
must have gone through [Data Collection Review][data-review].
* If you're considering OHTTP it's likely because the data you intend to collect is sensitive.
That'll mean you'll probably specifically need to go through
[Sensitive Data Collection Review][sensitive-review].
* Your data must not need to be associated with an id that is sent without OHTTP.
* This includes `client_id` and the Mozilla Accounts identifier.
The `client_id` and other fingerprinting information are explicitly excluded
from pings using OHTTP.
## How can I use OHTTP for my Data?
### Short Version: add two metadata fields to your ping definition
Most simply, you opt a ping into using OHTTP by augmenting its
`pings.yaml` definition with these three lines:
```yaml
metadata:
include_info_sections: false
use_ohttp: true
```
[Here is a convenience link to a searchfox search for `use_ohttp: true`][use-ohttp-searchfox]
if you'd like to see existing uses in tree.
### Longer Version
0. Ensure you've followed the necessary steps for
[adding new instrumentation to Firefox Desktop][new-instrumentation-doc]:
* Name your ping,
* Design and implement your instrumentation,
* Design and implement your ping submission schedule,
* Arrange for [data review][data-review] (probably [sensitive][sensitive-review]).
1. Augment your ping's definition in its `pings.yaml` with
`metadata.include_info_sections: false` and
`metadata.use_ohttp: true`:
* `include_info_sections: false` ensures that there is no
`client_id` or fingerprintable pieces of `client_info` or `ping_info`
fields that would allow us to trivially map this ping to a specific client.
* `use_ohttp: true` signals to Firefox on Glean's (FOG's) `glean_parser` extensions to
generate the necessary code to recognize this ping as needing OHTTP transport.
It is read in FOG's uploader to ensure the ping is only sent using OHTTP.
2. [Test your instrumentation][instrumentation-tests].
And that's it!
[ohttp-spec]: https://datatracker.ietf.org/doc/rfc9458/
[custom-ping-doc]: https://mozilla.github.io/glean/book/reference/pings/index.html
[data-review]: https://wiki.mozilla.org/Data_Collection
[sensitive-review]: https://wiki.mozilla.org/Data_Collection#Step_3:_Sensitive_Data_Collection_Review_Process
[use-ohttp-searchfox]: https://searchfox.org/mozilla-central/search?q=use_ohttp%3A%20true
[new-instrumentation-doc]: ./new_definitions_file.md
[instrumentation-tests]: ./instrumentation_tests.md
|
