Other: Thoughts on what justifies as an unwanted redirect

[DrKain]

A while back I introduced the redirect rule that is used to skip websites that let you know you're leaving their ecosystem. I was on the rails for a while about this one but eventually caved after I got several requests to handle it.

My issue at the moment is that some redirect warnings are useful, for example: Steam's "You are leaving Steam" message whenever you click on an external link. Unfortunately there are a lot of shitty people out there that make this warning necessary. This is especially important with the amount of scams and phishing sites that target Steam users, so this warning may be useful to many users. Then there's the more malicious cases like Facebook's external link "warning" that serves only to track where the users are going.

And finally, the ad services like linksynergy, adtraction or dpbolvw that are there to simply track who clicks on a link. They don't show a warning, they quietly log your information (browser, device, ip, referral, ect) then redirect you to the link you wanted to visit. It may not seem like a big deal but these websites will build a profile on you based on what you're visiting, what you're clicking, what websites you use. The amount of data they can collect from a simple click is frightening. If you're a privacy nut like me you'll understand the threat these websites pose, and this is why I added the redirect rule.

My thoughts at the moment are to expand the redirect rule and allow the user to customize what they want.
The easiest method would be to tag the redirect rule, something along the lines of:

const rule = {
    match: /website.com/gi,
    redirect: { param: ['url'], category: 'clickjacking' }
};

This would allow you to specify categories for each link, only bypassing them if the user allows it. This would allow useful warnings like Steam's "You are leaving our ecosystem" warning to remain but totally bypass anything malicious like ad services. As an extra note, the param value can be either an array or a string for some very, very rare cases where the website uses multiple parameters for the same reason.

The categories I've been thinking of so far:

• click-jacking
• referral
• exit/redirect warning

This system would also allow for more flexibility in the future. I would love to hear some feedback on this idea, so if you've got an opinion please don't hesitate to leave a comment on this PR. I won't be taking any action until I've decided it's what people want.

[DrKain]

It has been a fair few months since I've opened this issue without any response, so in the next major update I will be changing all existing rules that cover redirects. I can't give an exact date when this will happen, but this is a rough idea of what I have planned:

• By default exit warnings will not be modified because these are helpful messages
• Referrals and click-jacking links will be cleaned as usual as long as the referral doesn't benefit the user. For example: useful coupon codes.
• Each rule will have a tag (or several) that allows users to customize what they want to be processed or not.

You will be able to customize all of these as you see fit. This update will change how redirects are processed and will almost certainly break old applications using this package. I know this is not ideal, that's why I'm giving plenty of warning in advance. Right now only 7% of users are using @latest so I'm not too worried.

If anyone has any input they'd like to add feel free to post a comment.

[HiEnergy]

Looks like an awesome idea to me.