On Mon, Oct 15, 2018 at 9:50 PM <
rdevc...@gmail.com> wrote:
> Thanks for your reply. I'm afraid I still don't understand the details of
> Tracking Protection. Are there any social media sites that are not on the
> tracking protection list? How are they distinguished from reddit? Perhaps
> if I understand this bit I'll be convinced to move the requests to the
> server side.
>
Our tracking protection feature is powered by the Tracking Protection list
of Disconnect.me, see
https://disconnect.me/trackerprotection. There you
can find information about what is a tracker, trackers that are blocked,
those that are not blocked, and how to get more information. As to your
question about whether there are any social media sites, I don't have a
full list of them and that question is off-topic for this mailing list.
You may use the aforementioned link to access the full list of all of the
domains on the Tracking Protection list and assess whether your favourite
social network services are included.
> To clarify,
revddit.com does not load any scripts from reddit. It queries
> reddit's API in the same way reddit does to help users know about 3rd
> parties removing content that they shared online. It does not require a
> login from the user and only uses my developer API key.
Here is a very simple description of how cross-site tracking works:
https://stackoverflow.com/questions/13897472/how-do-third-party-tracking-cookies-work
According to the original screenshot in the thread, your web page is
sending an HTTP request to
https://www.reddit.com/api/v1/access_token. If
the user has previously visited
reddit.com, this request will include the
user's reddit cookies normally. Also, the HTTP request I mentioned before
has a Referer header that points to the address of your web page by default
in most browsers. So Reddit will be able to tell which user has visited
which page on your site. In other word, Reddit will be able to see the
user's browsing history, as if they had access to the user's computer.
Note that nobody is blaming you or your site here. This is just a
by-product of how the fundamental building blocks of the web platform have
been designed. Very sadly, the Internet and the web were not designed with
privacy in mind, and therefore they expose your site's users to this risk
without any malice necessarily on your behalf. Hope this explanation helps
make this unfortunate situation make some sense.
> The site currently does nothing if it cannot query reddit directly via the
> client. I see two options,
>
> (1) Gracefully let users know that they have Tracking Protection enabled
> and explain the above.
>
> (2) Move the requests code to the server, possibly resulting in poorer
> performance.
>
May I humbly suggest the second option? The fact is, your site as it is
currently designed is exposing its users to this privacy risk on most
browser configurations. Also, note that it is probably not *just* the
Firefox tracking protection that blocks this request, but there are
probably other privacy tools and extensions with a similar behavior out
there too. By moving these requests to the server you will help improve
the privacy of all of your site's users, as well as ensure that your site
is more robust in various browser configurations.
Cheers,
--
Ehsan