On Mon, Oct 15, 2018 at 9:50 PM <[email protected]> wrote: > Thanks for your reply. I'm afraid I still don't understand the details of > Tracking Protection. Are there any social media sites that are not on the > tracking protection list? How are they distinguished from reddit? Perhaps > if I understand this bit I'll be convinced to move the requests to the > server side. >
Our tracking protection feature is powered by the Tracking Protection list of Disconnect.me, see https://disconnect.me/trackerprotection. There you can find information about what is a tracker, trackers that are blocked, those that are not blocked, and how to get more information. As to your question about whether there are any social media sites, I don't have a full list of them and that question is off-topic for this mailing list. You may use the aforementioned link to access the full list of all of the domains on the Tracking Protection list and assess whether your favourite social network services are included. > To clarify, revddit.com does not load any scripts from reddit. It queries > reddit's API in the same way reddit does to help users know about 3rd > parties removing content that they shared online. It does not require a > login from the user and only uses my developer API key. Here is a very simple description of how cross-site tracking works: https://stackoverflow.com/questions/13897472/how-do-third-party-tracking-cookies-work According to the original screenshot in the thread, your web page is sending an HTTP request to https://www.reddit.com/api/v1/access_token. If the user has previously visited reddit.com, this request will include the user's reddit cookies normally. Also, the HTTP request I mentioned before has a Referer header that points to the address of your web page by default in most browsers. So Reddit will be able to tell which user has visited which page on your site. In other word, Reddit will be able to see the user's browsing history, as if they had access to the user's computer. Note that nobody is blaming you or your site here. This is just a by-product of how the fundamental building blocks of the web platform have been designed. Very sadly, the Internet and the web were not designed with privacy in mind, and therefore they expose your site's users to this risk without any malice necessarily on your behalf. Hope this explanation helps make this unfortunate situation make some sense. > The site currently does nothing if it cannot query reddit directly via the > client. I see two options, > > (1) Gracefully let users know that they have Tracking Protection enabled > and explain the above. > > (2) Move the requests code to the server, possibly resulting in poorer > performance. > May I humbly suggest the second option? The fact is, your site as it is currently designed is exposing its users to this privacy risk on most browser configurations. Also, note that it is probably not *just* the Firefox tracking protection that blocks this request, but there are probably other privacy tools and extensions with a similar behavior out there too. By moving these requests to the server you will help improve the privacy of all of your site's users, as well as ensure that your site is more robust in various browser configurations. Cheers, -- Ehsan _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
