The_rationalist

Please tell me I'm misunderstanding something! By enabling by default the blocking of those third party scripts: https://disconnect.me/trackerprotection/blocked

This Wil have three consequences: Many websites will partially break? Which ones? webmaster will lack many data necessary to understand what users do on their platform, where they missclick, what they don't use etc, thus diminishing the ability of webmasters to make great products. *the most dramatic one: People will see ads but the owner of a website will no longer earn ad money, because those are the third party scripts that allowed to prove to the ad platform that a user had effectively seen X ads.

zwaps

Webmasters should have thought of that before littering their website with hundreds of off-site scripts and packaging all data and behavior and sending it off to dozens of tracking companies.

"great products". Yeah, websites used to be much, much better before loading every bit of text with a remote javascript.

Here's a behavioral data point: Go back to making good websites and stop leaking private data everywhere. That's a great product.

rhaksw

My website is broken by this feature [1]. It does not leak private data, as Mozilla devs said here [2]

> According to the original screenshot in the thread, your web page is sending an HTTP request to https://www.reddit.com/api/v1/access_token. If the user has previously visited reddit.com, this request will include the user's reddit cookies normally. Also, the HTTP request I mentioned before has a Referer header that points to the address of your web page by default in most browsers. So Reddit will be able to tell which user has visited which page on your site. In other word, Reddit will be able to see the user's browsing history, as if they had access to the user's computer.

> Note that nobody is blaming you or your site here.

[1] https://revddit.com/user/rhaksw

[2] https://groups.google.com/d/msg/mozilla.dev.privacy/XO84Ezrw...

zwaps

I don't get it. The Mozilla dev explained, as you quoted, that the API access sends the reddit cookie to reddit while not being on reddit. That's leaking private data. "In other word, Reddit will be able to see the user's browsing history, as if they had access to the user's computer." You know who owns reddit, right?

rhaksw
> the API access sends the reddit cookie to reddit while not being on reddit.

A few things,

(1) Why does it matter in this case? Under what scenario can you imagine reddit abusing the knowledge that certain users are reading metadata about reddit accounts off-site?

(2) It seems to me Firefox could selectively choose not to send cookies and the referrer header in this case, rather than rendering entire sites broken. In that manner, sites accessing social media APIs can function, no data leaks, and everyone is happy.

(3) Hundreds of sites are broken like this. An issue tracking them has been open for 5 years [1]. The list used to identify "tracking" websites is huge and not maintained by Firefox [2].

(4) Due to this list, it is virtually impossible to build a web service that queries any social media site and runs on Firefox under default settings, significantly handicapping apps that can be built. Devs' recommendation was for me to move the code to a server, which would be expensive to maintain and would limit usefulness to users by obscuring code and introducing per-IP rate limits from the external API, in this case reddit's.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1101005

[2] https://github.com/disconnectme/disconnect-tracking-protecti...