Closed StanislawAntol closed 1 year ago
Rob--W
commented
4 years ago Does the attribute end up at the other side of the chat?
I cannot find the data-sanitized attribute that you're referring to (but I don't use the chat, so that may be related).
When I open a draft mail with an embedded link, I see data-saferedirecturl. When I view a recently sent email from Gmail with an URL in it, the raw message contains a normal link without extraneous attributes.
StanislawAntol
commented
4 years ago Thanks for having a look into this!
For the chat-window-specific parts, I can see it on either end (sender/receiver).
When I look at a e-mail that I sent, I see something like:
<a href="https://www.example.org/" target="_blank" data-saferedirecturl="https://www.google.com/url?q=https://www.example.org/&source=gmail&ust=158035908891000&usg=AFQjCNHZ6SkST0tT-smfs5XFEBMJNzpwM">https://www.example.org/</a>When I look at a chat message in the Chats sidebar thing (that makes the chat history look more like e-mails), I see something similar to the e-mail above:
<a href="https://www.youtube.com/watch?v=abcd" target="_blank" data-saferedirecturl="https://www.google.com/url?q=https://www.youtube.com/watch?v%3Dabcd&source=gmail&ust=158035889724300&usg=AFQjCNH_w7AKUaoGJXbT2ulMpFCoB5_Vn">https://www.youtube.com/watch?<wbr>v=abcd</a>And in the little chat window, for some URLs (e.g., YouTube), I'll see (for the same link/part of chat):
<a rel="nofollow noreferrer noopener" target="_blank" href="https://www.youtube.com/watch?v=abcd" class="Xx" tabindex="-1" dir="ltr" data-display="https://www.youtube.com/watch?v=abcd" data-sanitized="https://www.youtube.com/watch?v=abcd">https://www.youtube.com/watch?v=abcd</a>But then, again in the little chat window, for other URLs (e.g., GitHub), I'll see more tracking tokens:
<a rel="nofollow noreferrer noopener" target="_blank" href="https://www.google.com/url?q=https://www.github.com/&sa=D&source=hangouts&ust=158036314107700&usg=AFQjCNHKKURLVor05eGbpk8_X5vlDkQFv" class="Xx" tabindex="-1" dir="ltr" data-display="https://www.github.com/" data-sanitized="https://www.google.com/url?q=https://www.github.com/&sa=D&source=hangouts&ust=158036314107700&usg=AFQjCNHKKURLVor05eGbpk8_X5vlDkQFv">https://www.github.com/</a>I hope this helps!
Rob--W
commented
3 years ago Is this issue still relevant? I can still not reproduce your issue with data-sanitized.
And I do still see data-saferedirecturl on rendered <a>, but that is only locally, and not part of the email message itself. When I use the option to view the original/raw message of an email, I cannot find saferedirecturl.
The main point of interest for the extension is the href attribute. It is sanitized where possible, with a fallback to sanitizing on mouse press, such as right-clicking. Before concluding that the functionality doesn't work as expected, right-click on the link, and then check if the link has been sanitized as expected (by the extension).
I recently noticed that the chat in Gmail also seems to have tracking links if you paste a URL as a link.
The HTML seems to look like:
<a rel="nofollow noreferrer noopener" target="_blank" href="https://example.org/" class="Xx" tabindex="-1" dir="ltr" data-display="https://example.org/" data-sanitized="https://www.google.com/url?q=https://example.org/&sa=D&source=hangouts&ust=00000&usg=LhLuZg" referrerpolicy="origin">https://example.org/</a>If this isn't out of scope for this plug-in, it'd be great if removing these could be supported.