Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy badger sends DNT header even if it is disabled for a site #1260

Closed
bluedreamer opened this issue Mar 21, 2017 · 4 comments · Fixed by #1861
Closed

Privacy badger sends DNT header even if it is disabled for a site #1260

bluedreamer opened this issue Mar 21, 2017 · 4 comments · Fixed by #1861
Assignees
Labels
bug DNT policy EFF's Do Not Track policy: www.eff.org/dnt-policy

Comments

@bluedreamer
Copy link

White listing a site does not stop Privacy badger in google chrome sending the DNT cookie

So site is disabled.

    "settings_map": {
        "disabledSites": [
            "192.168.202.246"
        ],
        "isFirstRun": false,
        "migrationLevel": 5,
        "seenComic": true,
        "showCounter": true,
        "socialWidgetReplacementEnabled": true,
        "webRTCIPProtection": false
    },

And packet capture of the headers

[root@kobold ~]# tcpdump -n -nn -i any -A port 80 and host 192.168.202.246
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
08:34:22.174534 IP 192.168.202.246.52668 > 192.168.202.246.80: Flags [S], seq 2425456811, win 43690, options [mss 65495,sackOK,TS val 608492933 ecr 0,nop,wscale 7], length 0
E..<U.@.@..O...........P.............m.........
$D..........
08:34:22.174548 IP 192.168.202.246.80 > 192.168.202.246.52668: Flags [S.], seq 643993466, ack 2425456812, win 43690, options [mss 65495,sackOK,TS val 608492933 ecr 608492933,nop,wscale 7], length 0
E..<..@.@.#~.........P..&b.z.........m.........
$D..$D......
08:34:22.174557 IP 192.168.202.246.52668 > 192.168.202.246.80: Flags [.], ack 1, win 342, options [nop,nop,TS val 608492933 ecr 608492933], length 0
E..4U/@.@..V...........P....&b.{...V.e.....
$D..$D..
08:34:22.174663 IP 192.168.202.246.52668 > 192.168.202.246.80: Flags [P.], seq 1:469, ack 1, win 342, options [nop,nop,TS val 608492933 ecr 608492933], length 468: HTTP: GET / HTTP/1.1
E...U0@.@..............P....&b.{...V.9.....
$D..$D..GET / HTTP/1.1
Host: 192.168.202.246
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
DNT: 1
If-None-Match: "f-54b3dd55eb399"
If-Modified-Since: Tue, 21 Mar 2017 13:43:48 GMT

And the code sets the DNT anyway


/**
 * Filters outgoing cookies and referer
 * Injects DNT
 *
 * @param details Event details
 * @returns {*} modified headers
 */
function onBeforeSendHeaders(details) {
......
  if (badger.isPrivacyBadgerEnabled(tabDomain) && 
      isThirdPartyDomain(requestDomain, tabDomain)) {
......
    }

......
  // Still sending Do Not Track even if HTTP and cookie blocking are disabled
  details.requestHeaders.push({name: "DNT", value: "1"});
  return {requestHeaders: details.requestHeaders};
}

@ghostwords ghostwords changed the title Privacy badger sends DNT cookie even if it is disabled for a site Privacy badger sends DNT header even if it is disabled for a site Mar 21, 2017
@ghostwords ghostwords added bug DNT policy EFF's Do Not Track policy: www.eff.org/dnt-policy labels Mar 21, 2017
@ghostwords
Copy link
Member

ghostwords commented Mar 31, 2017

Related: #474.

@void-elf void-elf self-assigned this May 3, 2017
@void-elf
Copy link
Contributor

@ghostwords I was just looking over this issue again, and it seems like all that needs to be done is for this line: details.requestHeaders.push({name: "DNT", value: "1"}); to be removed and for some tests to be added. Does that sound reasonable? Sorry, it's been a while since I've worked on PB and wanted to ask before I got started.

@ghostwords
Copy link
Member

ghostwords commented Aug 14, 2017

I think the issue here is that Privacy Badger modifies your browsing on pages you disabled Privacy Badger on (pages belonging to "whitelisted" domains). "Modifies your browsing" specifically means Badger still sets the DNT header. We want Privacy Badger to usually set the DNT header, but perhaps not for requests for resources on "whitelisted" pages.

Should we always set the DNT header, or should disabling Privacy Badger on a site mean Privacy Badger stops setting the DNT header for resources on that site? I think, yes, we should try to avoid modifying your browsing in any way if the user disabled Privacy Badger.

In that case, we need to check and avoid inserting the DNT header while on whitelisted domains.

If we added a test for this, it would be a functional (Selenium-powered) test that checks that Privacy Badger sends DNT on a site; then we disable Badger for that site and confirm that DNT no longer gets sent. To make checking header sending easier, we may set up a little service on an EFF server that responds differently based on whether it got DNT or not. Here is a test we have that uses a similar service to test how many cookies were sent with a request.

@andresbase
Copy link

If the user wants to send the DNT signal at all times, even with PB disabled, this can be configured directly in the browser privacy settings. When a user disables Privacy Badger we shouldn't be doing anything (so we shouldn't be sending the DNT signal), that way we avoid other sort of issues.

I'll have this added to the FAQ when this change is rolled out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug DNT policy EFF's Do Not Track policy: www.eff.org/dnt-policy
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants