False positives with crossorigin=anonymous

[fulldecent]

Test case:

A web page contains these links in HEAD.

<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.6/css/bootstrap.min.css" integrity="sha384-rwoIResjU2yc3z8GV/NPeZWAv56rSmLldC3R/AZzGRnGxQQKnKkoFVhFQhNUwEyJ" crossorigin="anonymous">
<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
<script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.5.0/Chart.min.js" integrity="sha256-GcknncGKzlKm69d+sp+k3A2NyQE+jnu43aBl6rrDN2I=" crossorigin="anonymous"></script>
<script src="https://code.jquery.com/jquery-3.1.1.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js" integrity="sha256-1A78rJEdiWTzco6qdn3igTBv9VupN3Q1ozZNTR4WE/Y=" crossorigin="anonymous"></script>    

Expected result

None of these resources are flagged as potential trackers. Or if they are flagged (because there may be identifying entropy in the URL) then a visual distinction is made to explain how these resources were included in a privacy-friendly way.

Actual result

Discussion

The test case web page follows all recommendations in using CORS to minimize the privacy implications of including the referenced scripts. Privacy Badger makes a distinction between the NO COOKIE icon ("center the slider to block cookies"), and the GREEN ICON ("move the slider right to allow a domain"). However in the context of loading this web page, no distinction is necessary because the web page does not allow cookies to be sent to that resource.

[cowlicks]

Privacy Badger currently blocks per tracking domain across all origins. So if PB thinks a domain is tracking you with cookies, it will block that domain from setting cookies on every website you visit, regardless of the CORS policy the website sets.

I like the idea of telling users that the site you're visiting is using a good cross origin policy. But I don't think the slider should reflect that. Since the slider reflects PB's global understanding of the domain, not the state of the tracker on a given website. This could change I suppose, but I think a seperate UI indicator would be better. Do you have any suggestions?

[fulldecent]

Thank you for the explanation. This makes sense and yes I agree that the slider should not be changed.

Any change to the UI should NOT increase cognitive load on users, especially users like my grandmom. Perhaps these changes would convey the new information without adding confusion:

• Add the existing NO COOKIE icon before trackers with CORS anonymous
  • Tooltip for this row will be: "This page does not send cookies to DOMAIN", this will replace the current text of "Blocked cookies from DOMAIN"
• Sort these better CORS anonymous trackers at the end of the list
• Use white background for the CORS anonymous trackers, in contrast to the current gray background for other trackers

This last potential change would advocate websites to adopt CORS anonymous. The current project goal of Privacy Badger does not include advocacy, so such a suggestion is much above my pay grade.

• Update badge icon to not count trackers which use CORS anonymous. I.e. the test case page above would NOT show three errors in the badger icon badge.

[cowlicks]

I realized there is precedent for another ui element with the sliders like. When a domain has a public DNT policy, we put a DNT icon next to the slider, with it slid to the left colored green. However this is a global setting. Ex:

Also, worth noting, all of these domains are actually cookieblocked because they are on Privacy Badger's curated cookieblock list.