From: Fabian Keil Date: Fri, 20 Jun 2025 03:31:06 +0000 (+0200) Subject: Prevent a fingerprinting issue with various login pages X-Git-Url: http://www.privoxy.org/gitweb/%3C/static/%22https:/@proxy-info-url@?a=commitdiff_plain;h=93931583124eb045524d584fdfb964a0fcf32037;p=privoxy.git Prevent a fingerprinting issue with various login pages ... by not handling the requests as image requests or fast-redirecting them. Without the added section a request to a blocked or redirected login URL could be misdetected by third parties as the user being logged in to the given site, thus making fingerprinting Privoxy users easier. Note that this does not prevent the fingerprinting issue if the client is actually logged in. For details see: https://robinlinus.github.io/socialmedia-leak/ Doing that would probably be too invasive for a default configuration. --- diff --git a/default.action.master b/default.action.master index f06391fa..c5e1b539 100644 --- a/default.action.master +++ b/default.action.master @@ -2737,6 +2737,89 @@ config.privoxy.org/ # URL = http://www.flickr.com/ .flickr.com/ +# Without this section a request to a blocked or redirected +# login URL could be misdetected by third parties as the +# user being logged in to the given site, thus making +# fingerprinting Privoxy users easier. +# +# Note that this does not prevent the fingerprinting issue +# if the client is actually logged in. For details see: +# https://robinlinus.github.io/socialmedia-leak/ +{-client-header-tagger{image-requests} \ + -fast-redirects \ + -handle-as-image \ +} +# Sticky Actions = -client-header-tagger{image-requests} -fast-redirects -handle-as-image +# URL = https://squareup.com/login?return_to=%2Ffavicon.ico +squareup.com/login\? +# URL = https://twitter.com/login?redirect_after_login=%2f..%2ffavicon.ico +twitter.com/login\? +# URL = https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico%3F_rdr%3Dp +www.facebook.com/login.php\? +# URL = https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.google.com%2Ffavicon.ico&uilel=3&hl=en&service=mail +# URL = https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Ffavicon.ico&uilel=3&hl=en&service=youtube +# URL = https://accounts.google.com/ServiceLogin?service=blogger&hl=de&passive=1209600&continue=https://www.blogger.com/favicon.ico +accounts.google.com/ServiceLogin\? +# URL = https://plus.google.com/up/accounts/upgrade/?continue=https://plus.google.com/favicon.ico +plus.google.com/up/accounts/upgrade/\? +# URL = https://login.skype.com/login?message=signin_continue&redirect_uri=https%3A%2F%2Fsecure.skype.com%2Ffavicon.ico +login.skype.com/login\? +# URL = https://www.spotify.com/en/login/?forward_url=https%3A%2F%2Fwww.spotify.com%2Ffavicon.ico +# URL = http://www.spotify.com/login/?forward_url=https%3A%2F%2Fwww.spotify.com%2Ffavicon.ico +www.spotify.com/[^/]+/login/\? +www.spotify.com/login/\? +# URL = https://www.reddit.com/login?dest=https%3A%2F%2Fwww.reddit.com%2Ffavicon.ico +# URL = https://www.reddit.com/login/?dest=https%3A%2F%2Fwww.reddit.com%2Ffavicon.ico +www.reddit.com/login +# URL = https://www.tumblr.com/login?redirect_to=%2Ffavicon.ico +www.tumblr.com/login\? +# URL = https://www.expedia.de/user/login?ckoflag=0&selc=0&uurl=qscr%3Dreds%26rurl%3D%252Ffavicon.ico +www.expedia.de/user/login\? +# URL = https://www.dropbox.com/login?cont=https%3A%2F%2Fwww.dropbox.com%2Fstatic%2Fimages%2Fabout%2Fdropbox_logo_glyph_2015.svg +www.dropbox.com/login\? +# URL = https://www.amazon.com/ap/signin/178-4417027-1316064?_encoding=UTF8&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=10000000&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Ffavicon.ico +www.amazon.com/ap/signin/ +# URL = https://www.pinterest.com/login/?next=https%3A%2F%2Fwww.pinterest.com%2Ffavicon.ico +www.pinterest.com/login/ +# URL = https://de.foursquare.com/login?continue=%2Ffavicon.ico +de.foursquare.com/login\? +# URL = https://eu.battle.net/login/de/index?ref=http://eu.battle.net/favicon.ico +eu.battle.net/login/ +# URL = https://store.steampowered.com/login/?redir=favicon.ico +store.steampowered.com/login/ +# URL = https://www.academia.edu/login?cp=/favicon.ico&cs=www +www.academia.edu/login\? +# URL = https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Ffavicon.ico%3Fid%3D1 +github.com/login\? +# URL = https://medium.com/m/signin?redirect=https%3A%2F%2Fmedium.com%2Ffavicon.ico&loginType=default +medium.com/m/signin\? +# URL = https://news.ycombinator.com/login?goto=y18.gif%23 +news.ycombinator.com/login\? +# URL = https://carbonmade.com/signin?returnTo=favicon.ico +carbonmade.com/signin\? +# URL = https://courses.edx.org/login?next=/favicon.ico +courses.edx.org/login\? +# URL = https://slack.com/checkcookie?redir=https%3A%2F%2Fslack.com%2Ffavicon.ico%23 +slack.com/checkcookie\? +# URL = https://www.khanacademy.org/login?continue=https%3A//www.khanacademy.org/favicon.ico +www.khanacademy.org/login\? +# URL = https://www.paypal.com/signin?returnUri=https://t.paypal.com/ts?v=1.0.0 +www.paypal.com/signin\? +# URL = https://500px.com/login?r=%2Ffavicon.ico +500px.com/login\? +# URL = https://www.airbnb.com/login?redirect_params[action]=favicon.ico&redirect_params[controller]=home +www.airbnb.com/login\? +# URL = https://disqus.com/profile/login/?next=https%3A%2F%2Fdisqus.com%2Ffavicon.ico +disqus.com/profile/login/\? +# URL = https://secure.meetup.com/login/?returnUri=https%3A%2F%2Fwww.meetup.com%2Fimg%2Fajax_loader_trans.gif +# URL = https://www.meetup.com/login/?returnUri=https%3A%2F%2Fwww.meetup.com%2Fimg%2Fajax_loader_trans.gif +.meetup.com/login/\? +# URL = https://bitbucket.org/account/signin/?next=/favicon.ico +bitbucket.org/account/signin/\? +# URL = https://secure.indeed.com/account/login?continue=%2ffavicon.ico +secure.indeed.com/account/login\? +# URL = https://vk.com/login?u=2&to=ZmF2aWNvbi5pY28- +vk.com/login\? #---------------------------------------------------------------------------- # Sections that modify the action settings based on tags.