Using Oblivious HTTP in Firefox on Glean

Oblivious HTTP (RFC 9458) is an Internet standard transport that permits a separation of privacy concerns.

A client sending an HTTP(S) request necessarily exposes both their network address and the request’s contents to the destination server. OHTTP allows, through the introduction of encapsulation and a relay, for a system by which a third-party relay may learn only the network address and not the contents, and the server may learn only the request contents and not the network address.

This can be a useful risk mitigation for data collections we do not wish to associate with an IP address.

Can I use OHTTP for my Data?

Any data collection that meets the following criteria can use OHTTP:

  • Your data must be solely collected on Firefox Desktop

    • At this time, no other Mozilla project supports OHTTP.

  • Your data must be recorded via Glean.

    • It is the sole data collection system at Mozilla that supports OHTTP.

  • Your data must be in its own custom ping.

    • OHTTP is a transport-level decision and pings are Glean’s transport payload.

  • Your data (like all new or expanded data collections in Mozilla projects) must have gone through Data Collection Review.

    • If you’re considering OHTTP it’s likely because the data you intend to collect is sensitive. That’ll mean you’ll probably specifically need to go through Sensitive Data Collection Review.

  • Your data must not need to be associated with an id that is sent without OHTTP.

    • This includes client_id and the Mozilla Accounts identifier. The client_id and other fingerprinting information are explicitly excluded from pings using OHTTP.

How can I use OHTTP for my Data?

Short Version: add two metadata fields to your ping definition

Most simply, you opt a ping into using OHTTP by augmenting its pings.yaml definition with these three lines:

  metadata:
    include_info_sections: false
    use_ohttp: true

Here is a convenience link to a searchfox search for use_ohttp: true if you’d like to see existing uses in tree.

Longer Version

  1. Ensure you’ve followed the necessary steps for adding new instrumentation to Firefox Desktop:

    • Name your ping,

    • Design and implement your instrumentation,

    • Design and implement your ping submission schedule,

    • Arrange for data review (probably sensitive).

  2. Augment your ping’s definition in its pings.yaml with metadata.include_info_sections: false and metadata.use_ohttp: true:

    • include_info_sections: false ensures that there is no client_id or fingerprintable pieces of client_info or ping_info fields that would allow us to trivially map this ping to a specific client.

    • use_ohttp: true signals to Firefox on Glean’s (FOG’s) glean_parser extensions to generate the necessary code to recognize this ping as needing OHTTP transport. It is read in FOG’s uploader to ensure the ping is only sent using OHTTP.

  3. Test your instrumentation.

And that’s it!