search

ihucos / counter.dev

Web Analytics made simple
https://counter.dev
GNU Affero General Public License v3.0
902 stars 39 forks source link

counter.dev shows .local and local IP addresses #59

Open hello-smile6 opened 2 years ago

hello-smile6 commented 2 years ago

I have counter.dev analytics on neofetch-js, and I saw @webdev03 's phone loading a site from their computer in counter.dev . I think analytics requests from .lan, .local, 10.*.*.*, and 192.168.*.*, and domain names without a . (and maybe others) need to be discarded and hidden from users by default, because I should not see their computer's hostname or the port their web server was running on. Please fix this.

webdev03 commented 2 years ago

Oh well I guess you know I use a MacBook LOL

hello-smile6 commented 2 years ago

Oh well I guess you know I use a MacBook LOL

I even know the hostname... Now I can make a web implementation of nmap using websockets... (It wouldn't be that hard anyways, and it'd be fun. You'd just have to open a websocket on each port and see what sockets take noticeably longer before failing. Of course, I wouldn't log the data using analytics. )

hello-smile6 commented 2 years ago

@webdev03 No longer logging data from dev servers, see https://github.com/hello-smile6/neofetch-js/commit/942b7ed437a0047ad00d7b5dd8416a868cc29aee

ihucos commented 2 years ago

@webdev03 No longer logging data from dev servers, see https://github.com/hello-smile6/neofetch-js/commit/942b7ed437a0047ad00d7b5dd8416a868cc29aee

Nice, would be nice to have your client side code:

        if(
            location.hostname.endsWith(".local") || 
            (
                location.port !== 80 &&
                location.port !== 433
            ) || 
            location.hostname.endsWith(".lan") || 
            !(location.hostname.includes("."))
        ) {
            throw new Error("Refusing to log data from non-public webserver, see https://github.com/ihucos/counter.dev/issues/59");
        }

In the backend (golang) in the appropriate location here: https://github.com/ihucos/counter.dev/blob/master/backend/endpoints/track.go#L78

hello-smile6 commented 2 years ago

@webdev03 No longer logging data from dev servers, see hello-smile6/neofetch-js@942b7ed

Nice, would be nice to have your client side code:

        if(
            location.hostname.endsWith(".local") || 
            (
                location.port !== 80 &&
                location.port !== 433
            ) || 
            location.hostname.endsWith(".lan") || 
            !(location.hostname.includes("."))
        ) {
            throw new Error("Refusing to log data from non-public webserver, see https://github.com/ihucos/counter.dev/issues/59");
        }

In the backend (golang) in the appropriate location here: https://github.com/ihucos/counter.dev/blob/master/backend/endpoints/track.go#L78

Okay.