Closed LiamDawe closed 6 years ago
My guess is that you are sending your login cookies along with requests to static resources.
Could you run the following script in your Badger's background page console and share what it prints out?
(function () {
const STR = "gamingonlinux.com";
console.log("**** ACTION_MAP for", STR);
_.each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => {
if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2));
});
console.log("**** SNITCH_MAP for", STR);
_.each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => {
if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2));
});
}());
To get to the background page console in Chrome, visit chrome://extensions
, make sure "Developer mode" is checked, click on the "background page" link in Privacy Badger's row, and select the Console tab.
In Firefox, visit about:debugging
, enable add-on debugging, click Debug next to Privacy Badger, click the OK button on the popup warning about remote debugging, and enter the above script into the console after the >>.
Not sure I'm doing this right:
(function () { const STR = "gamingonlinux.com"; console.log(" ACTIONMAP for", STR); .each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2)); }); console.log(" SNITCHMAP for", STR); .each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2)); }); }()); ACTION_MAP for gamingonlinux.com SNITCH_MAP for gamingonlinux.com undefined
Did you run this in the browser where Privacy Badger learned to block your domain? Did you run this in Badger's background page, and not anywhere else (like the popup)?
Sorry, that was firefox, here's Chrome:
(function () { const STR = "gamingonlinux.com"; console.log(" ACTIONMAP for", STR); .each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2)); }); console.log(" SNITCHMAP for", STR); .each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2)); }); }()); VM236:3 ACTION_MAP for gamingonlinux.com VM236:5 gamingonlinux.com { "dnt": false, "heuristicAction": "block", "nextUpdateTime": 0, "userAction": "" } VM236:5 www.gamingonlinux.com { "dnt": false, "heuristicAction": "block", "nextUpdateTime": 1525075452272, "userAction": "user_allow" } VM236:7 SNITCH_MAP for gamingonlinux.com VM236:9 gamingonlinux.com [ "joindiaspora.com", "patreon.com", "discordia.dyndns.tv" ]
Ah, OK, thanks. This says your Privacy Badger saw resources from www.gamingonlinux.com
perform tracking on joindiaspora.com
, patreon.com
, and discordia.dyndns.tv
. Are these sites where you would have come across www.gamingonlinux.com
resources?
Images from OpenGraph tags (to show rich media, like an image beside an article tagline) were being blocked by PB on joindiaspora.
Patreon I don't believe pulls in any resources from us, since they host all stuff themselves. We have a Patreon page, but there's nothing on our site directly pulling anything from Patreon.
Same for Discord, we have a Discord channel, but the website isn't pulling anything from the Discord. People do post links to our site in the discord though, which will again like joindiaspora show that article image using the OpenGraph tags.
I think part of the issue, may be that joindiaspora (as an example) doesn't host the OpenGraph image they pick up themselves, it's simply pulling our image directly like this example: https://joindiaspora.com/posts/11659950 (inspect the image)
Whereas Mastodon hosts the file themselves: https://mastodon.social/@gamingonlinux/99937478397262869
Do you have cookies or other storage from gamingonlinux.com
in your Chrome? You can check by visiting chrome://settings/siteData
and searching for "gamingonlinux". Please do not post the contents of cookies here.
Updated my previous comment with more info.
As for cookies, yes: "__cfduid" - required by cloudflare And two others from our login system, like any other site where you login.
Yep, so it's what I thought. Your login cookies are being sent along with static resources. Anybody who logs into your site could run into this issue; other people should not.
To improve website performance/security, you would ideally avoid having login/session cookies be associated with static resources/API endpoints (by configuring a dedicated static resource domain that doesn't overlap with the login domain, for example).
If you don't perform any tracking and are otherwise compliant with the EFF Do Not Track policy, you could post the policy on each affected domain, which will tell Privacy Badger to always allow loading of resources from the domain.
As I'm sure you know, it's not a simple task to suddenly make a website use an entirely separate domain for all static resources, not really something a single-person run site can just do with limited resources.
We don't perform any tracking, we don't use google analytics or anything. Where would I post such a thing so it can pick it up? Do I just put it in a "dnt-policy-1.0.txt" file in my website root folder and the plugin would scan for that file?
You have to serve the exact contents of https://raw.githubusercontent.com/EFForg/dnt-policy/master/dnt-policy-1.0.txt at https://www.gamingonlinux.com/.well-known/dnt-policy.txt
Okay, to be clear then, where it says this:
This file will always be posted via HTTPS at https://example-domain.com/.well-known/dnt-policy.txt to indicate this fact.
I don't need to adjust that for my actual domain? Just so we're crystal clear as you say "exact contents"
Correct.
Okay, great. I've now done that, hopefully this will be solved then :+1:
Looks good to me. If your Badger already checked the domain for DNT recently, it can take up to a week for the domain to get rechecked.
You could run badger.storage.touchDNTRecheckTime('www.gamingonlinux.com', 0)
in your Badger's background page to clear the cache and force rechecking with the next visit though.
No probs.
I really appreciate you taking time to talk me through this. We're a Linux-based site so privacy is extremely important to us anyway :+1:
Resolving. Let me know if there is anything else.
Hi, recently came across an issue where Privacy Badger has been claiming my site https://www.gamingonlinux.com is a tracker and fully blocks any external content from it?
RSS feeds for example, tested in both feedly and tiny tiny RSS - Privacy Badger set it to block the images from the feed.
How can I get this fixed? My site is not a tracker :+1: