duckduckgo / duckduckgo-privacy-extension

DuckDuckGo Privacy Essentials browser extension for Firefox, Chrome.
https://duckduckgo.com/app
Apache License 2.0
1.26k stars 245 forks source link

Documentation for website developers? #512

Open calebhailey opened 4 years ago

calebhailey commented 4 years ago

Hi there :wave: long time fan of DuckDuckGo here & glad such an alternative to <the other search engine> exists.

My company uses Hubspot and recently started embedding various Hubspot forms & CTA widgets in our website. Several of our employees who use the DuckDuckGo privacy extension report issues with our website that ultimately end up being the result of the privacy extension blocking Hubspot content (including our company's main contact form).

Unfortunately, it seems the end result is only partially blocking the content (see example screenshot of a CTA button that is blocked by the DuckDuckGo privacy extension, though the underlying link itself is not blocked).

image

We would like to be a good citizen RE: privacy, so I'm sorta wondering if there's any documentation that either explains how to avoid having certain valid content blocked by the DuckDuckGo privacy extension -OR- how to model the objectionable content in such a way that DuckDuckGo will not display it at all (so we don't end up with partially rendered buttons).

Thanks in advance for your help!

dharb commented 3 years ago

This is a really great idea, thank you. I'll take it internally and see what people think.

It's a difficult problem to solve. Our clients use a block list that is derived from our monthly crawls. During these crawls, we monitor the activity initiated by third parties and look for whether they set cookies, access browser APIs known to be used for fingerprinting, and a variety of other "tracky" behaviors. Domains found to be engaging in an excessive amount of suspect activity are added to our block list. Here's an example of what we saw for the HubSpot domain hsforms.net during our last crawl.

Our goal is to stop as much tracking as possible without breaking the web. Unfortunately sometimes we end up blocking something that looks tracky but is essential to site functionality, which sounds like what you're seeing here.

I'd like to get this fixed for you. Could you please share a couple links to pages that we are breaking so I can debug what's going on and ship a fix?

calebhailey commented 3 years ago

Thank you for the very detailed and helpful response! I presumed that this would be a hard problem to solve since you can't exactly document how to work around the (helpful and appreciated!) privacy protections provided by this extension – it would defeat the purpose! 😄

I'm glad to know there may be some other way to resolve this issue though. The issues we're having are only related to the "essential site functionality", specifically including Hubspot buttons and forms on our site. I would hope that the other tracking capabilities of Hubspot (many of which we don't use, but can't disable without switching platforms) could be blocked for users who wish to do so without impacting forms and buttons.

Here's an example of an issue we're seeing: https://sensu.io/blog/filling-gaps-in-kubernetes-observability-with-the-sensu-kubernetes-events-integration

There's a button at the end of this blog post that is partially blocked. It is an embedded Hubspot button, so I suspect some javascript is being blocked that is preventing the correct styling of the button, but the underlying link element is still visible (and ugly). Let me know if this can be resolved in the extension, or if we need to take any action on our side to resolve it.

Cheers 🍻

PS – we had previously experienced some issues with Hubspot embedded forms on our site (sensu.io), but we are no longer able to reproduce those, so perhaps this has already been resolved on your end?