x-hacker Header advertisement for Automattic on customer's sites

Automattic / wp-calypso

The JavaScript and API powered WordPress.com

https://developer.wordpress.com

GNU General Public License v2.0

12.4k stars 1.98k forks source link

x-hacker Header advertisement for Automattic on customer's sites #74642

Open devNigel opened 1 year ago

devNigel commented 1 year ago

Quick summary

WordPress.com sites are served with a x-hacker header that shows this message: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

I think it is unprofessional to do that on a customer's site, especially on sites of major businesses like https://goniyo.com/

The customer contacted asking how to remove it.

Steps to reproduce

Using Network inspector tool on browser to see this header.

What you expected to happen

What actually happened

Impact

All

Available workarounds?

No but the platform is still usable

Platform (Simple and/or Atomic)

Simple, Atomic

Logs or notes

Ticket: 6056027-zd-woothemes

github-actions[bot] commented 1 year ago

Support References

This comment is automatically generated. Please do not edit it.

[ ] 6056027-zen
[ ] 7557203-zen

worldomonation commented 1 year ago

Removing the bug label as it is a feature request, not an issue.

I'm wary of making changes to the header concerning this message without explicit approval from Matt or other senior leads. Having a message in the x-header is part of the playful, fun identity we have.

Plus, we are not the only company around that has hiring messages tucked away in the source code or the network request. See this list by a GitHub user for sites that have similar messages in the x-header.

Other site that have hidden job adverts embedded in the page source itself: https://theundercoverrecruiter.com/hidden-messages-code/

Lowering priority to Low, removing Bug label.

worldomonation commented 1 year ago

Addendum: this VIP P2 from 2017 mentions explicitly that we will not blanket-remove the header. poqVs-jz5-p2

devNigel commented 1 year ago

@worldomonation

Plus, we are not the only company around that has hiring messages tucked away in the source code or the network request. See this list by a GitHub user for sites that have similar messages in the x-header.

This is totally different. It is definitely not the same when companies do that on their own sites versus companies doing that on the customer's site.

Imagine if Amazon AWS or Microsoft Azure or other big players injected such headers on the sites hosted on them, that's what A8C is doing right now.

If this particular user gets back to us again asking to disable it, I think we should disable it for their site.

kavyagokul commented 1 year ago

📌 ACTIONS

Feature request kept

📌 Message to Author

@devNigel This is easily editable by using a plugin such as Redirection. For specific sites, or for a policy change, I'd recommend starting a conversation on P2. I'm keeping this feature request for now, for the appropriate people to decide on a direction

P.S. Just adding that other hosts like WPEngine also do this, so this is not a unique thing in this industry.

Aurorum commented 8 months ago

User requested this in 7557203-zen