Discourse CDNs are blocked by privacy badger


(Michael Downey) #1

Any reason why I’m getting a blank page here on meta for most things other than error pages, like, /latest, /top, /badges, any any categories?

If I start a new browser session and sign in again, everything’s back to normal.


(Régis Hanol) #2

Are there any javascript errors in the web console?


Topics appear blank in development mode
(Michael Downey) #3

Hmm, yep. Looks like a Chrome extension blocking blocking the CDN used by meta? (worldssl.net)

GET https://d11a6trkgmumsb.cloudfront.net/cdn_asset/meta_discourse_org/preload_…30b1734bc94f05842624f3b2c157d2b.js?origin=https%3A%2F%2Fmeta.discourse.org net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:53
GET https://d11a6trkgmumsb.cloudfront.net/assets/locales/en-6e73f546e2a6ce32bf6435a634ef4552.js net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:54
GET https://d11a6trkgmumsb.cloudfront.net/cdn_asset/meta_discourse_org/vendor-82d6e086e6c992e9ff65e049b9709b25.js?origin=https%3A%2F%2Fmeta.discourse.org net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:55
GET https://d11a6trkgmumsb.cloudfront.net/cdn_asset/meta_discourse_org/applicat…758574dc41be1e5cd563f6946eb1617.js?origin=https%3A%2F%2Fmeta.discourse.org net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:56
GET https://d11a6trkgmumsb.cloudfront.net/assets/browser-update-d6b4c101a8a727a965bedc8d952539b3.js net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:242
Uncaught ReferenceError: PreloadStore is not defined (index):197
Uncaught ReferenceError: Ember is not defined (index):224
Uncaught ReferenceError: Discourse is not defined (index):230

Update: Looks like EFF’s Privacy Badger extension no longer likes meta’s CDN. I disabled it for the site.


(_Vi) #4

Thanks, resolved my problem as well.

I think Discourse should be more proof to partially blocked JavaScript, cookies, old browsers, etc. and should show messages (at least into console) what does it want.


(Jeff Atwood) #5

What was your specific problem? It’s unclear. Can you specify what it was, exactly?


(_Vi) #6

PrivacyBadger was blocking something like cdn.discourse.org (the name may be not exact). Because of that the page was OK when I first opened it, but as soon as I logged in, I saw only little drib (a few unstyled links) on blank page, with Uncaught ReferenceError things in console (like above).

Googling for Uncaught ReferenceError: PreloadStore is not defined led me here, where I discovered that the issue is the conflict with PrivacyBadger. It auto-detected “red” status for that CDN domain: block not just cookies, but everything from this domain. Normally PrivacyBadger assigns “yellow” status for CDNs (block cookies, but allow using content). Maybe requests from other Discourse forumns to the CDN it looked “personalized”, with some IDs…

Disabling the badger on that site revealed the page, features of logged in user worked.

Shall I try filing an issue to PrivacyBadger developers or it has happened “by design”?


(Robin Ward) #7

I’m not sure about Privacy Badger but uBlock will list assets it blocks in the console. So if something innocuous like cdn.discourse.org is blocked you could see it there.


(Jeff Atwood) #8

I know @mpalmer was looking at Privacy Badger, no idea why it would decide a cdn had to be blocked.


(Michael Downey) #9

Here’s the current state of Privacy Badger on meta:


(_Vi) #10

Happened again on internals.rust-lang.org.

The domain in question is cdn-business.discourse.org. Switching it to yellow (block cookies) resolved issue.

Maybe URIs there look too “high-entropy”, as if cdn-business.discourse.org collecting info from all Discourse deployments:

https://cdn-business.discourse.org/stylesheets/desktop_cb86e901615de41fa28188c7ca3d6a4bb805d9d5.css?__ws=internals.rust-lang.org

Can Discourse main page/script detect omissions of it’s assets and show some message like

Some Discourse assets are blocked. Please review your browser settings, in particular NoScript, PrivacyBadger and other ad-blocking or policing addons. Check browser’s Javascript Console. Try another browser. If the problem persists, ask on meta.discourse.org.


(Jeff Atwood) #11

Not sure, @mpalmer is the resident Privacy Badger expert… I thought we set whatever policy file PB was looking for on the CDN. If you’d like to research this further and provide details @vi0oss that’d be helpful.


(_Vi) #12

In general, when something goes wrong with Discourse loading process (due to PrivacyBadger, NoScript or another reason), I see the blank page. I think this is not good UX.

I have:

  • No JS - Limited nojs Discourse
  • Partial JS - blank (or almost blank) page
  • Full JS - Fully featured Discourse

I want:

  • No JS - Limited nojs Discourse
  • Partial JS - Limited nojs Discourse and/or error message explaining what asset could not be loaded (or another problem)
  • Full JS - Fully featured Discourse

(Jeff Atwood) #13

I don’t care. What I care about is why Privacy Badger doesn’t like our CDN.


(Dean Taylor) #14

For me - having a clean band new Google Chrome profile and installing Privacy Badger does not have any issues for meta:

EDIT:
Also tested in Firefox:


I also completed the sign up process on internals.rust-lang.org using the same clean Google profile:

Note that it lists “2 potential trackers”, although they are not blocked.


Be aware that Privacy Badger has no “Clear Settings” or “Reset Settings” option…
… so any adjustments or customisations you make currently cannot be undone in your profile.

Thus the only way to test the experience of other users is to create a clean fresh new Google Chrome profile.

However it’s also worth noting that Privacy Badger now includes heuristic based detection so there might be an event that happens to cause a domain to get flagged.


(_Vi) #15

As far as I know, PrivacyBadger is stateful. It judges the domain “behaviour” based on requests to it and can flip it’s green-yellow-red switch automatically in background based on heuristics.

Maybe to properly reproduce the issue one should try to use (and log in to) multiple independent Discourse deployments.


(Dean Taylor) #16

That’s what I have been testing…

So far the only thing that’s gone yellow is fonts.gstatic.com which occurred when I clicked to play a YouTube video.

EDIT:
And now when clicking to share that YouTube video to G+ a “red” for videos.google.com:

@vi0oss which Discourse instances do you visit?


(_Vi) #17

Something like that. Shall I try to reproduce the issue on purpose?


(Dean Taylor) #18

Usually the first step to solving a problem is reliably reproducing it.
It would be good to get a step-by-step reproduction of the issue.


(Dean Taylor) #19

After a while browsing several (5/6) instances and visiting talk.turtlerockstudios.com I noted the “DNT” indicators:


(_Vi) #20

The domain remained green.

No manual interactions with PrivacyBadger’s UI apart from opening it’s window, hovering there and inspecting settings was performed.