Prevent a fingerprinting issue with various login pages

... by not handling the requests as image requests
or fast-redirecting them.

Without the added section a request to a blocked or
redirected login URL could be misdetected by third
parties as the user being logged in to the given site,
thus making fingerprinting Privoxy users easier.

Note that this does not prevent the fingerprinting issue
if the client is actually logged in. For details see:
https://robinlinus.github.io/socialmedia-leak/

Doing that would probably be too invasive for a default
configuration.

diff --git a/default.action.master b/default.action.master
index f06391f..c5e1b53 100644 (file)
--- a/default.action.master
+++ b/default.action.master
@@ -2737,6 +2737,89 @@ config.privoxy.org/
 # URL = http://www.flickr.com/
 .flickr.com/
 
+# Without this section a request to a blocked or redirected
+# login URL could be misdetected by third parties as the
+# user being logged in to the given site, thus making
+# fingerprinting Privoxy users easier.
+#
+# Note that this does not prevent the fingerprinting issue
+# if the client is actually logged in. For details see:
+# https://robinlinus.github.io/socialmedia-leak/
+{-client-header-tagger{image-requests} \
+ -fast-redirects \
+ -handle-as-image \
+}
+# Sticky Actions = -client-header-tagger{image-requests} -fast-redirects -handle-as-image
+# URL = https://squareup.com/login?return_to=%2Ffavicon.ico
+squareup.com/login\?
+# URL = https://twitter.com/login?redirect_after_login=%2f..%2ffavicon.ico
+twitter.com/login\?
+# URL = https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico%3F_rdr%3Dp
+www.facebook.com/login.php\?
+# URL = https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.google.com%2Ffavicon.ico&uilel=3&hl=en&service=mail
+# URL = https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Ffavicon.ico&uilel=3&hl=en&service=youtube
+# URL = https://accounts.google.com/ServiceLogin?service=blogger&hl=de&passive=1209600&continue=https://www.blogger.com/favicon.ico
+accounts.google.com/ServiceLogin\?
+# URL = https://plus.google.com/up/accounts/upgrade/?continue=https://plus.google.com/favicon.ico
+plus.google.com/up/accounts/upgrade/\?
+# URL = https://login.skype.com/login?message=signin_continue&redirect_uri=https%3A%2F%2Fsecure.skype.com%2Ffavicon.ico
+login.skype.com/login\?
+# URL = https://www.spotify.com/en/login/?forward_url=https%3A%2F%2Fwww.spotify.com%2Ffavicon.ico
+# URL = http://www.spotify.com/login/?forward_url=https%3A%2F%2Fwww.spotify.com%2Ffavicon.ico
+www.spotify.com/[^/]+/login/\?
+www.spotify.com/login/\?
+# URL = https://www.reddit.com/login?dest=https%3A%2F%2Fwww.reddit.com%2Ffavicon.ico
+# URL = https://www.reddit.com/login/?dest=https%3A%2F%2Fwww.reddit.com%2Ffavicon.ico
+www.reddit.com/login
+# URL = https://www.tumblr.com/login?redirect_to=%2Ffavicon.ico
+www.tumblr.com/login\?
+# URL = https://www.expedia.de/user/login?ckoflag=0&selc=0&uurl=qscr%3Dreds%26rurl%3D%252Ffavicon.ico
+www.expedia.de/user/login\?
+# URL = https://www.dropbox.com/login?cont=https%3A%2F%2Fwww.dropbox.com%2Fstatic%2Fimages%2Fabout%2Fdropbox_logo_glyph_2015.svg
+www.dropbox.com/login\?
+# URL = https://www.amazon.com/ap/signin/178-4417027-1316064?_encoding=UTF8&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=10000000&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Ffavicon.ico
+www.amazon.com/ap/signin/
+# URL = https://www.pinterest.com/login/?next=https%3A%2F%2Fwww.pinterest.com%2Ffavicon.ico
+www.pinterest.com/login/
+# URL = https://de.foursquare.com/login?continue=%2Ffavicon.ico
+de.foursquare.com/login\?
+# URL = https://eu.battle.net/login/de/index?ref=http://eu.battle.net/favicon.ico
+eu.battle.net/login/
+# URL = https://store.steampowered.com/login/?redir=favicon.ico
+store.steampowered.com/login/
+# URL = https://www.academia.edu/login?cp=/favicon.ico&cs=www
+www.academia.edu/login\?
+# URL = https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Ffavicon.ico%3Fid%3D1
+github.com/login\?
+# URL = https://medium.com/m/signin?redirect=https%3A%2F%2Fmedium.com%2Ffavicon.ico&loginType=default
+medium.com/m/signin\?
+# URL = https://news.ycombinator.com/login?goto=y18.gif%23
+news.ycombinator.com/login\?
+# URL = https://carbonmade.com/signin?returnTo=favicon.ico
+carbonmade.com/signin\?
+# URL = https://courses.edx.org/login?next=/favicon.ico
+courses.edx.org/login\?
+# URL = https://slack.com/checkcookie?redir=https%3A%2F%2Fslack.com%2Ffavicon.ico%23
+slack.com/checkcookie\?
+# URL = https://www.khanacademy.org/login?continue=https%3A//www.khanacademy.org/favicon.ico
+www.khanacademy.org/login\?
+# URL = https://www.paypal.com/signin?returnUri=https://t.paypal.com/ts?v=1.0.0
+www.paypal.com/signin\?
+# URL = https://500px.com/login?r=%2Ffavicon.ico
+500px.com/login\?
+# URL = https://www.airbnb.com/login?redirect_params[action]=favicon.ico&redirect_params[controller]=home
+www.airbnb.com/login\?
+# URL = https://disqus.com/profile/login/?next=https%3A%2F%2Fdisqus.com%2Ffavicon.ico
+disqus.com/profile/login/\?
+# URL = https://secure.meetup.com/login/?returnUri=https%3A%2F%2Fwww.meetup.com%2Fimg%2Fajax_loader_trans.gif
+# URL = https://www.meetup.com/login/?returnUri=https%3A%2F%2Fwww.meetup.com%2Fimg%2Fajax_loader_trans.gif
+.meetup.com/login/\?
+# URL = https://bitbucket.org/account/signin/?next=/favicon.ico
+bitbucket.org/account/signin/\?
+# URL = https://secure.indeed.com/account/login?continue=%2ffavicon.ico
+secure.indeed.com/account/login\?
+# URL = https://vk.com/login?u=2&to=ZmF2aWNvbi5pY28-
+vk.com/login\?
 
 #----------------------------------------------------------------------------
 # Sections that modify the action settings based on tags.