undefined | Better HN

0 pointsrhaksw7y ago0 comments

My website is broken by this feature [1]. It does not leak private data, as Mozilla devs said here [2]

> According to the original screenshot in the thread, your web page is sending an HTTP request to https://www.reddit.com/api/v1/access_token. If the user has previously visited reddit.com, this request will include the user's reddit cookies normally. Also, the HTTP request I mentioned before has a Referer header that points to the address of your web page by default in most browsers. So Reddit will be able to tell which user has visited which page on your site. In other word, Reddit will be able to see the user's browsing history, as if they had access to the user's computer.

> Note that nobody is blaming you or your site here.

[1] https://revddit.com/user/rhaksw

[2] https://groups.google.com/d/msg/mozilla.dev.privacy/XO84Ezrw...

0 comments

3 comments · 1 top-level

zwaps7y ago· 2 in thread

I don't get it. The Mozilla dev explained, as you quoted, that the API access sends the reddit cookie to reddit while not being on reddit. That's leaking private data. "In other word, Reddit will be able to see the user's browsing history, as if they had access to the user's computer." You know who owns reddit, right?

rhakswOP7y ago

> the API access sends the reddit cookie to reddit while not being on reddit.

A few things,

(1) Why does it matter in this case? Under what scenario can you imagine reddit abusing the knowledge that certain users are reading metadata about reddit accounts off-site?

(2) It seems to me Firefox could selectively choose not to send cookies and the referrer header in this case, rather than rendering entire sites broken. In that manner, sites accessing social media APIs can function, no data leaks, and everyone is happy.

(3) Hundreds of sites are broken like this. An issue tracking them has been open for 5 years [1]. The list used to identify "tracking" websites is huge and not maintained by Firefox [2].

(4) Due to this list, it is virtually impossible to build a web service that queries any social media site and runs on Firefox under default settings, significantly handicapping apps that can be built. Devs' recommendation was for me to move the code to a server, which would be expensive to maintain and would limit usefulness to users by obscuring code and introducing per-IP rate limits from the external API, in this case reddit's.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1101005

[2] https://github.com/disconnectme/disconnect-tracking-protecti...

zwaps7y ago

I would argue that 99% of sites sending cookies and personal information to social media do so for tracking purposes.

You may be the exception. But its a privacy tradeoff that benefits the majority.

And let me say: if webmasters had shown any respect for privacy in the first place, maybe this would not have occured.

1 more reply

j / k navigate · click thread line to collapse