https://github.com/gorhill/httpswitchboard/wiki/How-does-HTT...
"look to be"? How would javascript code know that?
I measured something, and that is the result of my measurement. People can make an informed decision with proper information. I found that the page served well without all the extra requests that Ghostery and Disconnect allowed.
Given the results, I am quite surprise you would say "look to be first parties serving content for the page".
> "If you go to the Guardian, you're going to be tracked by the Guardian"
* facebook-web-clients.appspot.com * guardian-notifications.appspot.com * related-info-hrd.appspot.com * static-serve.appspot.com * cdnjs.cloudflare.com * ajax.googleapis.com * discussion.guardianapis.com * s.ophan.co.uk
Aside `discussion.guardianapis.com`, others are clearly 3rd-parties.
It's seems my definition of "3rd party" aligns more with that of the EFF: https://www.eff.org/deeplinks/2013/06/third-party-resources-...
Now you focused on the Guardian, how about the two other cases I measured?
I'm sure you don't like the result, but this is what came out when I decided to audit. Your response: You don't think it is a problem. That is settled.
> Given the results, I am quite surprise you would say "look to be first parties serving content for the page".
I believe every single domain name you listed (except the Google and Twitter domains, like I said) is a domain owned by or a CDN used by the Guardian or hosts an app run by the Guardian - prove me wrong:
> facebook-web-clients.appspot.com
> guardian-notifications.appspot.com
> related-info-hrd.appspot.com
> static-serve.appspot.com
> cdnjs.cloudflare.com
> discussion.guardianapis.com
> s.ophan.co.uk
This is a terrible answer: you are suggesting that Disconnect knows exactly which 3rd-party is legit when visiting a web page, and somehow you can vouch that none of these hostnames is a threat to privacy (this is what your defense of this implies).
`static-serve.appspot.com` is no different than `ajax.googleapis.com` (you didn't list this one, why?): they are 3rd-party hostnames, some are CDN which is exactly why they are not to be trusted, you can end up hitting these hostnames from other places than just the Guardian, which is the problem.
In any case, the legitimacy of their their purpose is not the point. They are 3rd-party hostnames: Unless being told, the user wouldn't know that he is also hitting these hostnames.
I will note that you completely disregarded the other results which are even more embarrassing to explain (like `simplereach.cc`: "SimpleReach tracks every social action on each piece of published content to deliver detailed insights and clear metrics around social behavior.")
Despite "Adobe tag" marked as blocked by Disconnect, these requests were not blocked:
http://p.typekit.net/p.gif?a=219379&f=175.10294.10295.10296....
http://www.adobetag.com/d1/condenast/live/Wired.js
This is the part that bothers me: fooling people into thinking they are shielded against this kind of thing. That is not ok. I accept bugs can happen, but so far your position has been to rationalize why these 3rd-party domains are not blocked.
Oh and in this particular case, Ghostery blocked everything it said it blocked.
https://addons.mozilla.org/en-US/firefox/addon/requestpolicy...
Ghostery database is not static either and we update it very often, if you feel we are missing something, please let us know.
