search

EFForg / privacybadger

Privacy Badger is a browser extension that automatically learns to block invisible trackers.
https://privacybadger.org
Other
3.13k stars 381 forks source link

Picks up my own website as a tracker? #1995

Closed LiamDawe closed 6 years ago

LiamDawe commented 6 years ago

Hi, recently came across an issue where Privacy Badger has been claiming my site https://www.gamingonlinux.com is a tracker and fully blocks any external content from it?

RSS feeds for example, tested in both feedly and tiny tiny RSS - Privacy Badger set it to block the images from the feed.

How can I get this fixed? My site is not a tracker :+1:

ghostwords commented 6 years ago

My guess is that you are sending your login cookies along with requests to static resources.

Could you run the following script in your Badger's background page console and share what it prints out?

(function () {
  const STR = "gamingonlinux.com";
  console.log("**** ACTION_MAP for", STR);
  _.each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => {
    if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2));
  });
  console.log("**** SNITCH_MAP for", STR);
  _.each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => {
    if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2));
  });
}());

To get to the background page console in Chrome, visit chrome://extensions, make sure "Developer mode" is checked, click on the "background page" link in Privacy Badger's row, and select the Console tab.

In Firefox, visit about:debugging, enable add-on debugging, click Debug next to Privacy Badger, click the OK button on the popup warning about remote debugging, and enter the above script into the console after the >>.

LiamDawe commented 6 years ago

Not sure I'm doing this right:

(function () { const STR = "gamingonlinux.com"; console.log(" ACTIONMAP for", STR); .each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2)); }); console.log(" SNITCHMAP for", STR); .each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2)); }); }()); ACTION_MAP for gamingonlinux.com SNITCH_MAP for gamingonlinux.com undefined

ghostwords commented 6 years ago

Did you run this in the browser where Privacy Badger learned to block your domain? Did you run this in Badger's background page, and not anywhere else (like the popup)?

LiamDawe commented 6 years ago

Sorry, that was firefox, here's Chrome:

(function () { const STR = "gamingonlinux.com"; console.log(" ACTIONMAP for", STR); .each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2)); }); console.log(" SNITCHMAP for", STR); .each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => { if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2)); }); }()); VM236:3 ACTION_MAP for gamingonlinux.com VM236:5 gamingonlinux.com { "dnt": false, "heuristicAction": "block", "nextUpdateTime": 0, "userAction": "" } VM236:5 www.gamingonlinux.com { "dnt": false, "heuristicAction": "block", "nextUpdateTime": 1525075452272, "userAction": "user_allow" } VM236:7 SNITCH_MAP for gamingonlinux.com VM236:9 gamingonlinux.com [ "joindiaspora.com", "patreon.com", "discordia.dyndns.tv" ]

ghostwords commented 6 years ago

Ah, OK, thanks. This says your Privacy Badger saw resources from www.gamingonlinux.com perform tracking on joindiaspora.com, patreon.com, and discordia.dyndns.tv. Are these sites where you would have come across www.gamingonlinux.com resources?

LiamDawe commented 6 years ago

Images from OpenGraph tags (to show rich media, like an image beside an article tagline) were being blocked by PB on joindiaspora.

Patreon I don't believe pulls in any resources from us, since they host all stuff themselves. We have a Patreon page, but there's nothing on our site directly pulling anything from Patreon.

Same for Discord, we have a Discord channel, but the website isn't pulling anything from the Discord. People do post links to our site in the discord though, which will again like joindiaspora show that article image using the OpenGraph tags.

I think part of the issue, may be that joindiaspora (as an example) doesn't host the OpenGraph image they pick up themselves, it's simply pulling our image directly like this example: https://joindiaspora.com/posts/11659950 (inspect the image)

Whereas Mastodon hosts the file themselves: https://mastodon.social/@gamingonlinux/99937478397262869

ghostwords commented 6 years ago

Do you have cookies or other storage from gamingonlinux.com in your Chrome? You can check by visiting chrome://settings/siteData and searching for "gamingonlinux". Please do not post the contents of cookies here.

LiamDawe commented 6 years ago

Updated my previous comment with more info.

As for cookies, yes: "__cfduid" - required by cloudflare And two others from our login system, like any other site where you login.

ghostwords commented 6 years ago

Yep, so it's what I thought. Your login cookies are being sent along with static resources. Anybody who logs into your site could run into this issue; other people should not.

To improve website performance/security, you would ideally avoid having login/session cookies be associated with static resources/API endpoints (by configuring a dedicated static resource domain that doesn't overlap with the login domain, for example).

If you don't perform any tracking and are otherwise compliant with the EFF Do Not Track policy, you could post the policy on each affected domain, which will tell Privacy Badger to always allow loading of resources from the domain.

LiamDawe commented 6 years ago

As I'm sure you know, it's not a simple task to suddenly make a website use an entirely separate domain for all static resources, not really something a single-person run site can just do with limited resources.

We don't perform any tracking, we don't use google analytics or anything. Where would I post such a thing so it can pick it up? Do I just put it in a "dnt-policy-1.0.txt" file in my website root folder and the plugin would scan for that file?

ghostwords commented 6 years ago

You have to serve the exact contents of https://raw.githubusercontent.com/EFForg/dnt-policy/master/dnt-policy-1.0.txt at https://www.gamingonlinux.com/.well-known/dnt-policy.txt

LiamDawe commented 6 years ago

Okay, to be clear then, where it says this:

This file will always be posted via HTTPS at https://example-domain.com/.well-known/dnt-policy.txt to indicate this fact.

I don't need to adjust that for my actual domain? Just so we're crystal clear as you say "exact contents"

ghostwords commented 6 years ago

Correct.

LiamDawe commented 6 years ago

Okay, great. I've now done that, hopefully this will be solved then :+1:

ghostwords commented 6 years ago

Looks good to me. If your Badger already checked the domain for DNT recently, it can take up to a week for the domain to get rechecked.

You could run badger.storage.touchDNTRecheckTime('www.gamingonlinux.com', 0) in your Badger's background page to clear the cache and force rechecking with the next visit though.

LiamDawe commented 6 years ago

No probs.

I really appreciate you taking time to talk me through this. We're a Linux-based site so privacy is extremely important to us anyway :+1:

ghostwords commented 6 years ago

Resolving. Let me know if there is anything else.