reddit.com: privacy #18938
Comments
|
Can you test this? reddit.com,~out.reddit.com##+js(set, Object.prototype.allowClickTracking, false) |
|
I have that on my configuration (as attached above) when testing on my dirty profile and the behaviour still persists. I'll test again to make sure. Edit: Yeah, still persists |
|
Does it occur on desktop? |
|
I cannot reproduce on desktop using clean profile and default uBlock Origin, only on mobile. |
|
@partingscientist are you able to reproduce the issue using FF emulator on desktop ? How did you note that behaviour on android ? steps ? |
Yes, on clean profile and default uBlock Origin.
Given |
|
I cannot reproduce the issue => no |
|
I also cannot reproduce on mobile. |
|
I'm still investigating the reproducibility on my end, as I can confidently reproduce the issue; I'll report my findings soon. Just to make sure, you're not logged in while testing, right?
|
|
Here's what I found (Firefox Mobile 116.0b3 and default stable-release uBlock Origin on Android): It seems to me that Reddit is currently testing a new user interface for their mobile website ( Here's the old user interface
Here's what they are currently testing
The issue is reproducible on the old interface by interacting with the link bar below the post thumbnail on the right hand side. However, the issue is not reproducible on the new interface. I very rarely get this new interface, perhaps due to geolocation and other factors which also might vary amongst the maintainers here. |
|
I can reproduce. The key is this
Can you test this filter? reddit.com##+js(json-prune, data.children.[].data.outbound_link)An easy way to test if there's |
This works, both on Firefox Mobile and Firefox Desktop with the emulator. |
|
Tracking happening via urls like filter -- |
|
@stephenhawk8054 I'm not sure if these two are needed - I don't have a reddit account, so cannot confirm it but you can. |
|
You're right. I don't see those connections any more. |
@stephenhawk8054 the length of pathname characters is randomised. Source
// Ho() returns a UUID in the form [0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}
// (line 2665-2677, line 2734-2742)
const us = `/svc/shreddit/${(()=>{const e=Ho().split("-"),t=1+Math.floor(6*Math.random()),n=`${e[1]+e[2]}`.substring(0,t);return e[0]+n})()}`,
ms = (e, t) => {
const n = "function" != typeof navigator.sendBeacon || ps() ? "function" == typeof fetch ? cs : void 0 : ds;
void 0 !== n && n({
url: us,
eventsBuffer: e,
microapp: _r(),
shouldNotSendDropEvent: t
})
};
|
|
It cannot be 8 characters actually (my bad), |
|
Keeping 8 is still good as the old ones have 8: |
When I suggested that filter it was always 8 during my tests. So did something change now ? |
|
@stephenhawk8054 Why change |
|
I did see a var Co = /^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000)$/i;
function Ao(e) {
return "string" == typeof e && Co.test(e)
}
function Oo(e) {
var t = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : 0,
n = (Lo[e[t + 0]] + Lo[e[t + 1]] + Lo[e[t + 2]] + Lo[e[t + 3]] + "-" + Lo[e[t + 4]] + Lo[e[t + 5]] + "-" + Lo[e[t + 6]] + Lo[e[t + 7]] + "-" + Lo[e[t + 8]] + Lo[e[t + 9]] + "-" + Lo[e[t + 10]] + Lo[e[t + 11]] + Lo[e[t + 12]] + Lo[e[t + 13]] + Lo[e[t + 14]] + Lo[e[t + 15]]).toLowerCase();
if (!Ao(n)) throw TypeError("Stringified UUID is invalid");
return n
}
function Ho(e, t, n) {
var o = (e = e || {}).random || (e.rng || Io)();
if (o[6] = 15 & o[6] | 64, o[8] = 63 & o[8] | 128, t) {
n = n || 0;
for (var r = 0; r < 16; ++r) t[n + r] = o[r];
return t
}
return Oo(o)
}
const ps = () => ("boolean" == typeof hs || (e => {
hs = e
})(document.querySelector("shreddit-app")?.hasAttribute("disable-send-beacon") ?? !1), hs),
us = `/svc/shreddit/${(()=>{const e=Ho().split("-"),t=1+Math.floor(6*Math.random()),n=`${e[1]+e[2]}`.substring(0,t);return e[0]+n})()}`,
ms = (e, t) => {
const n = "function" != typeof navigator.sendBeacon || ps() ? "function" == typeof fetch ? cs : void 0 : ds;
void 0 !== n && n({
url: us,
eventsBuffer: e,
microapp: _r(),
shouldNotSendDropEvent: t
})
};The characters indeed only had |
|
Update: Ah ok I can see it now:
|
|
I also see the query parameter Might be related: |
|
I think you should revert to |
|
Ok: eee6fec |
Usually we try to be as specific as needed to avoid false positives. Using |
|
Hmmm... the hex-based is what I really didn't think about, I was always wondering why reddit used |
So what was I suggesting was not the proper approach ? My point is this wouldn't last long if we go from
Because I'm not that paranoid. Also to mention, the previous filters I suggested lasted more than one and a half years(Oct 2021 - August 2023), so I'm going by that way. |
|
I think it's ok, reddit does indeed usually change that part. Actually they have changed it to The blocked requests just keeps increasing so I want to try reddit.com##+js(no-fetch-if, 'url:/^https:\/\/www\.reddit\.com\/svc\/shreddit\/[0-9A-z]{9,}$/ method:post')
reddit.com##+js(no-xhr-if, 'url:/^https:\/\/www\.reddit\.com\/svc\/shreddit\/[0-9A-z]{9,}$/ method:post') |
I found a connection to that url, here is a test link: I tested these but they do not work. reddit.com##+js(no-fetch-if, url:/^https:\/\/www\.reddit\.com\/$/ method:post)
reddit.com##+js(no-xhr-if, url:/^https:\/\/www\.reddit\.com\/$/ method:post) |
|
@partingscientist Does this work? ||www.reddit.com/|$xhr,1p,method=post |
|
|
// https://www.redditstatic.com/shreddit/en-US/shell-e5fddcc3.js, 6009
let Tc;
const Ic = () => ("boolean" == typeof Tc || (e => {
Tc = e
})(document.querySelector("shreddit-app")?.hasAttribute("disable-send-beacon") ?? !1), Tc),
Cc = (e, t) => Math.floor(Math.random() * (t - e) + e),
Ac = (e, t, n) => `${e.slice(0,n)}${t}${e.slice(n)}`,
Lc = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
Pc = () => Lc[Math.floor(Math.random() * Lc.length)],
Oc = `/svc/shreddit/${(e=>{if(e<="/!".length)throw new Error(`Invalid len argument supplied. Must be greater than ${"/!".length}`);let t=[...Array(e-"/!".length)].map(Pc).join("");return t=Ac(t,"/!"[0],Math.floor(t.length/2)),t=Ac(t,"/!"[1],Cc(0,t.length-1)),t})(Cc(15,25))}`,
Rc = ({
eventsBuffer: e,
v2EventsRoute: t,
options: n
}) => {
const o = "function" != typeof navigator.sendBeacon || Ic() ? "function" == typeof fetch ? Sc : void 0 : kc;
void 0 !== o && o({
url: t || Oc,
eventsBuffer: e,
microapp: ar(),
options: n
})
};# https://github.com/uBlockOrigin/uAssets/blame/2789c0c31a3ee62e432e3f5090398553075d5f74/filters/privacy.txt#L109-L110
||www.reddit.com/svc/shreddit/$xhr,1p,method=post
@@||reddit.com/svc/shreddit/more-comments/$xhr,1p,method=post? |
|
@partingscientist Looks like the above filters cannot load the comments in this link? |
|
I thought I'd let you know first, haven't attempted to craft or test anything previously. How about /^https:\/\/www\.reddit\.com\/svc\/shreddit\/[A-z0-9\/!]{15,24}$/$xhr,1p,method=post,match-case? |
|
@partingscientist Still does not work for me. If I'm not mistaken, it's because reddit is detecting if you block those XHR, it won't load the comments. Even when using fd = async ({
url: e,
eventsBuffer: t,
microapp: n,
options: o
}) => {
const r = jo.get("csrf_token") ?? "",
i = !yd() ? t : {
csrf_token: r,
info: t
},
a = JSON.stringify(i);
let s;
try {
s = await fetch(e, {
body: a,
headers: {
"Content-Type": "text/PLAIN",
"x-sh-microapp-route": n || "monolith"
},
keepalive: !0,
method: "post",
credentials: "same-origin"
})
} catch (n) {
return void(o?.shouldNotRetryIfFail ? o?.shouldNotSendDropEvent || bd({
eventsBuffer: t,
errorText: `An error: ${n}`,
v2EventsRoute: e
}) : Id({
eventsBuffer: t,
v2EventsRoute: e,
options: {
shouldNotRetryIfFail: !0
}
}))
}
if (s?.ok) {
Array.from(s.headers).length && (vd || (vd = document.querySelector("shreddit-app")), vd)?.resolvePendingRequests();
const e = s.headers.get("x-set-loid") || void 0,
t = s.headers.get("x-set-session") || void 0;
window.dispatchEvent(new CustomEvent("v2-events-sent", {
detail: {
loid: e,
session_tracker: t
}
}))
} else o?.shouldNotSendDropEvent || bd({
eventsBuffer: t,
errorText: `HTTP Response Code: ${s?.status}`,
v2EventsRoute: e
});
return s
};(This is their old code, they might change something already) |
Technically, it's checking for specific request headers with the fetch request, if the headers are not found, content won't load. |
|
There's two ways to this tracking issue as I can see -
|
|
@gorhill any solution for ongoing issue with reddit ? |
Prerequisites
URL address of the web page
https://www.reddit.com/r/worldnews/Category
privacy
Description
While not logged in, Reddit mobile site tracks outbound navigation using
out.reddit.com.The behaviour still exists after testing with Firefox 116.0b3 and default uBlock Origin.
Other extensions used
None.
Screenshot(s)
Screenshot(s)
Configuration
The text was updated successfully, but these errors were encountered: