info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Tracking protection breaks site that does not track
144 views
Skip to first unread message
rdevc...@gmail.com
Oct 12, 2018, 12:20:17 PM10/12/18
to
Hi, I recently released the site https://revddit.com which allows users to review content of theirs that has been removed from reddit.
It does not require any sort of login and does its analysis using data that is publicly visible on reddit. I don't even have Google Analytics enabled at this point.
When I use Firefox to visit the site with Tracking Protection enabled, it is prevented from querying reddit:
http://i.imgur.com/yfapYtq.png
I assume I could write some code instructing users who receive this error to disable Tracking Protection, however that seems like a strange message.
My question is, does "Tracking Protection" cast too wide a net?
The code for this site is open source. If I can convince Firefox users that I'm not tracking them, and they disable this feature, would they be likely to re-enable it?
Perhaps I do not understand this feature. Any guidance would be appreciated.
Regards,
Rob
It does not require any sort of login and does its analysis using data that is publicly visible on reddit. I don't even have Google Analytics enabled at this point.
When I use Firefox to visit the site with Tracking Protection enabled, it is prevented from querying reddit:
http://i.imgur.com/yfapYtq.png
I assume I could write some code instructing users who receive this error to disable Tracking Protection, however that seems like a strange message.
My question is, does "Tracking Protection" cast too wide a net?
The code for this site is open source. If I can convince Firefox users that I'm not tracking them, and they disable this feature, would they be likely to re-enable it?
Perhaps I do not understand this feature. Any guidance would be appreciated.
Regards,
Rob
Jakob Bohm
Oct 15, 2018, 12:17:10 PM10/15/18
to
your service.
The thing that triggers this is that you have coded your site to make
the user's browser query reddit, thereby telling Reddit that the user is
using your service.
But given the specific URL shown in your error message, it appears that
you are authenticating that the user is logged in on Reddit using the
account that is about to be looked at, so contacting Reddit may be
unavoidable.
Since the error message also reference "CORS", you may be able to mark
the request as allowed via various web standards that exist under the
"CORS" name. I don't know that part of the Web Standards closely enough
to tell you how that would work.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
rdevc...@gmail.com
Oct 15, 2018, 12:44:37 PM10/15/18
to
Hi, just to clarify, the code on my website is not an authentication on behalf of the user. It's an authentication to use the reddit API with an API key that is tied to my own developer account.
The CORS error is, I believe, just a side-effect of enabling tracking protection, and there's nothing I can code to avoid the request failing. It is because reddit.com is on this list,
https://github.com/disconnectme/disconnect-tracking-protection/blob/master/services.json
The CORS error is, I believe, just a side-effect of enabling tracking protection, and there's nothing I can code to avoid the request failing. It is because reddit.com is on this list,
https://github.com/disconnectme/disconnect-tracking-protection/blob/master/services.json
Jakob Bohm
Oct 15, 2018, 2:18:24 PM10/15/18
to
to connect directly from your server, not telling Reddit anything about
the user.
Ehsan Akhgari
Oct 15, 2018, 4:40:29 PM10/15/18
to rdevc...@gmail.com, dev-p...@lists.mozilla.org
Hi Rob,
Thanks for reaching out!
As Jakob already mentioned, it's not that tracking protection is casting
too wide of a net here, Reddit is. Firefox is just trying to protect its
users from this pervasive tracking.
In order to prevent your code from breaking, you should expect this
exception and handle it gracefully in your code. Another way is to check
to see whether the script(s) you are loading from reddit have been loaded
successfully.
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Tracking_Protection
has some documentation on this matter which may be helpful.
Cheers,
Ehsan
> _______________________________________________
> dev-privacy mailing list
> dev-p...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-privacy
>
--
Ehsan
Thanks for reaching out!
As Jakob already mentioned, it's not that tracking protection is casting
too wide of a net here, Reddit is. Firefox is just trying to protect its
users from this pervasive tracking.
In order to prevent your code from breaking, you should expect this
exception and handle it gracefully in your code. Another way is to check
to see whether the script(s) you are loading from reddit have been loaded
successfully.
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Tracking_Protection
has some documentation on this matter which may be helpful.
Cheers,
Ehsan
> dev-privacy mailing list
> dev-p...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-privacy
>
--
Ehsan
rdevc...@gmail.com
Oct 15, 2018, 9:46:44 PM10/15/18
to
Hi Jakob,
Is that right? I have trouble seeing the privacy gains in this instance since the client via reVddit is merely querying reddit in the same manner it would by visiting reddit itself.
Connecting from my own server would, I believe, result in requests getting throttled by reddit since their API puts limits on how many requests a client can make (~60 per minute). It would also result in a slower experience for the end user to be re-routed through whatever tiny server I would allocate to this free software project.
Ehsan,
Thanks for your reply. I'm afraid I still don't understand the details of Tracking Protection. Are there any social media sites that are not on the tracking protection list? How are they distinguished from reddit? Perhaps if I understand this bit I'll be convinced to move the requests to the server side.
To clarify, revddit.com does not load any scripts from reddit. It queries reddit's API in the same way reddit does to help users know about 3rd parties removing content that they shared online. It does not require a login from the user and only uses my developer API key. The site currently does nothing if it cannot query reddit directly via the client. I see two options,
(1) Gracefully let users know that they have Tracking Protection enabled and explain the above.
(2) Move the requests code to the server, possibly resulting in poorer performance.
Cheers,
Rob
Is that right? I have trouble seeing the privacy gains in this instance since the client via reVddit is merely querying reddit in the same manner it would by visiting reddit itself.
Connecting from my own server would, I believe, result in requests getting throttled by reddit since their API puts limits on how many requests a client can make (~60 per minute). It would also result in a slower experience for the end user to be re-routed through whatever tiny server I would allocate to this free software project.
Ehsan,
Thanks for your reply. I'm afraid I still don't understand the details of Tracking Protection. Are there any social media sites that are not on the tracking protection list? How are they distinguished from reddit? Perhaps if I understand this bit I'll be convinced to move the requests to the server side.
To clarify, revddit.com does not load any scripts from reddit. It queries reddit's API in the same way reddit does to help users know about 3rd parties removing content that they shared online. It does not require a login from the user and only uses my developer API key. The site currently does nothing if it cannot query reddit directly via the client. I see two options,
(1) Gracefully let users know that they have Tracking Protection enabled and explain the above.
(2) Move the requests code to the server, possibly resulting in poorer performance.
Cheers,
Rob
Ehsan Akhgari
Oct 15, 2018, 11:04:51 PM10/15/18
to rdevc...@gmail.com, dev-p...@lists.mozilla.org
On Mon, Oct 15, 2018 at 9:50 PM <rdevc...@gmail.com> wrote:
> Thanks for your reply. I'm afraid I still don't understand the details of
> Tracking Protection. Are there any social media sites that are not on the
> tracking protection list? How are they distinguished from reddit? Perhaps
> if I understand this bit I'll be convinced to move the requests to the
> server side.
>
Our tracking protection feature is powered by the Tracking Protection list
> Thanks for your reply. I'm afraid I still don't understand the details of
> Tracking Protection. Are there any social media sites that are not on the
> tracking protection list? How are they distinguished from reddit? Perhaps
> if I understand this bit I'll be convinced to move the requests to the
> server side.
>
of Disconnect.me, see https://disconnect.me/trackerprotection. There you
can find information about what is a tracker, trackers that are blocked,
those that are not blocked, and how to get more information. As to your
question about whether there are any social media sites, I don't have a
full list of them and that question is off-topic for this mailing list.
You may use the aforementioned link to access the full list of all of the
domains on the Tracking Protection list and assess whether your favourite
social network services are included.
> To clarify, revddit.com does not load any scripts from reddit. It queries
> reddit's API in the same way reddit does to help users know about 3rd
> parties removing content that they shared online. It does not require a
> login from the user and only uses my developer API key.
https://stackoverflow.com/questions/13897472/how-do-third-party-tracking-cookies-work
According to the original screenshot in the thread, your web page is
sending an HTTP request to https://www.reddit.com/api/v1/access_token. If
the user has previously visited reddit.com, this request will include the
user's reddit cookies normally. Also, the HTTP request I mentioned before
has a Referer header that points to the address of your web page by default
in most browsers. So Reddit will be able to tell which user has visited
which page on your site. In other word, Reddit will be able to see the
user's browsing history, as if they had access to the user's computer.
Note that nobody is blaming you or your site here. This is just a
by-product of how the fundamental building blocks of the web platform have
been designed. Very sadly, the Internet and the web were not designed with
privacy in mind, and therefore they expose your site's users to this risk
without any malice necessarily on your behalf. Hope this explanation helps
make this unfortunate situation make some sense.
> The site currently does nothing if it cannot query reddit directly via the
> client. I see two options,
>
> (1) Gracefully let users know that they have Tracking Protection enabled
> and explain the above.
>
> (2) Move the requests code to the server, possibly resulting in poorer
> performance.
>
currently designed is exposing its users to this privacy risk on most
browser configurations. Also, note that it is probably not *just* the
Firefox tracking protection that blocks this request, but there are
probably other privacy tools and extensions with a similar behavior out
there too. By moving these requests to the server you will help improve
the privacy of all of your site's users, as well as ensure that your site
is more robust in various browser configurations.
Cheers,
--
Ehsan
rdevc...@gmail.com
Feb 24, 2019, 3:06:09 AM2/24/19
to
Hi Ehsan,
I'm coming back to this thread because a user asked why Firefox was not working for him. I had another thought I wanted to run by you. You previously wrote,
> According to the original screenshot in the thread, your web page is
> sending an HTTP request to https://www.reddit.com/api/v1/access_token. If
> the user has previously visited reddit.com, this request will include the
> user's reddit cookies normally. Also, the HTTP request I mentioned before
> has a Referer header that points to the address of your web page by default
> in most browsers. So Reddit will be able to tell which user has visited
> which page on your site. In other word, Reddit will be able to see the
> user's browsing history, as if they had access to the user's computer.
Could Firefox selectively choose _not_ to send cookies and the referrer header in this case? This seems like a possible compromise to me for sites like revddit which rely on accessing a social media site's API with non-user-specific credentials in order to function.
Regards,
Rob
I'm coming back to this thread because a user asked why Firefox was not working for him. I had another thought I wanted to run by you. You previously wrote,
> According to the original screenshot in the thread, your web page is
> sending an HTTP request to https://www.reddit.com/api/v1/access_token. If
> the user has previously visited reddit.com, this request will include the
> user's reddit cookies normally. Also, the HTTP request I mentioned before
> has a Referer header that points to the address of your web page by default
> in most browsers. So Reddit will be able to tell which user has visited
> which page on your site. In other word, Reddit will be able to see the
> user's browsing history, as if they had access to the user's computer.
Regards,
Rob
0 new messages