Privacy Badger replaces non-tracking Twitter buttons

EFForg / privacybadgerfirefox-legacy

LEGACY Privacy Badger for Firefox SEE README

https://www.eff.org/privacybadger

Other

407 stars 68 forks source link

Privacy Badger replaces non-tracking Twitter buttons #593

Open allo- opened 9 years ago

allo- commented 9 years ago

<a class="twitter-share-button" target="_blank" href="https://twitter.com/intent/tweet?text=mytext&url=http%3A%2F%2Fmyurl&hashtags=some,hashtags">Tweet</a>

Is replaced with a privacy badger button. 1) The Button changes the website layout, as its a twitter button and not a link anymore 2) The button opens the twitter share dialog, but without the text and the hashtags 3) The link was not tracking you anyway.

allo- commented 8 years ago

Still happens in 1.7.0, with the same three problems.

Further it is even replaced with "disable privacy badger for this site" enabled.

cooperq commented 8 years ago

this could be fixed by changing the class name, as that is what the replacement is keyed off of. That said the fact that it is being replaced even when privacy badger is disabled for the domain is worth opening a separate bug for.

allo- commented 8 years ago

Hmm, i can change the class name, but i guess as user you can't expect sites to change their classname for non-tracking buttons. This is a text link, it could be just the same as default with a locally hosted image.

https://dev.twitter.com/web/tweet-button 1 is non-tracking, 2 can be non-tracking if you host the button image yourself. The most important parts are the script solutions, of course images from twitter.com directly are a problem with referer and cookies as well.

But for 1 and 2 with own image there should be some solution detecting if its possibly tracking or not.

I can look again into the even with disabled PB, when its reproducable it may be worth an additional bug.

cooperq commented 8 years ago

I can definitely see how it would improve the feature to determine if the button is a tracking button or not, but for now, to keep the process speedy we have to key off the class name. I agree with the wisdom of such a change so I will re-open the issue, but I don't personally have time to work on it.

allo- commented 8 years ago

Prevent matching text links: use a selector img.twitter-share-button or similiar. (maybe easy. need to look into it how this interacts with scripts. https://about.twitter.com/resources/buttons#tweet seems to load a script outside of the link)
get the replacement to include the old url parameters (may need serious changes on the code doing the replacements)
maybe get some option to distinguish relative / absolute urls in the tags.
- ok: twitter.png, /twitter.png
- not okay: http://twitter.com/twitter.png, https://twitter.com/twitter.png, //twitter.com/twitter.png