Discourse CDNs are blocked by privacy badger

Any reason why I’m getting a blank page here on meta for most things other than error pages, like, /latest, /top, /badges, any any categories?

If I start a new browser session and sign in again, everything’s back to normal.

Are there any javascript errors in the web console?

Hmm, yep. Looks like a Chrome extension blocking blocking the CDN used by meta? (worldssl.net)

GET https://d11a6trkgmumsb.cloudfront.net/cdn_asset/meta_discourse_org/preload_…30b1734bc94f05842624f3b2c157d2b.js?origin=https%3A%2F%2Fmeta.discourse.org net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:53
GET https://d11a6trkgmumsb.cloudfront.net/assets/locales/en-6e73f546e2a6ce32bf6435a634ef4552.js net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:54
GET https://d11a6trkgmumsb.cloudfront.net/cdn_asset/meta_discourse_org/vendor-82d6e086e6c992e9ff65e049b9709b25.js?origin=https%3A%2F%2Fmeta.discourse.org net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:55
GET https://d11a6trkgmumsb.cloudfront.net/cdn_asset/meta_discourse_org/applicat…758574dc41be1e5cd563f6946eb1617.js?origin=https%3A%2F%2Fmeta.discourse.org net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:56
GET https://d11a6trkgmumsb.cloudfront.net/assets/browser-update-d6b4c101a8a727a965bedc8d952539b3.js net::ERR_BLOCKED_BY_CLIENT meta.discourse.org/:242
Uncaught ReferenceError: PreloadStore is not defined (index):197
Uncaught ReferenceError: Ember is not defined (index):224
Uncaught ReferenceError: Discourse is not defined (index):230

Update: Looks like EFF’s Privacy Badger extension no longer likes meta’s CDN. I disabled it for the site.

Thanks, resolved my problem as well.

I think Discourse should be more proof to partially blocked JavaScript, cookies, old browsers, etc. and should show messages (at least into console) what does it want.

What was your specific problem? It’s unclear. Can you specify what it was, exactly?

PrivacyBadger was blocking something like cdn.discourse.org (the name may be not exact). Because of that the page was OK when I first opened it, but as soon as I logged in, I saw only little drib (a few unstyled links) on blank page, with Uncaught ReferenceError things in console (like above).

Googling for Uncaught ReferenceError: PreloadStore is not defined led me here, where I discovered that the issue is the conflict with PrivacyBadger. It auto-detected “red” status for that CDN domain: block not just cookies, but everything from this domain. Normally PrivacyBadger assigns “yellow” status for CDNs (block cookies, but allow using content). Maybe requests from other Discourse forumns to the CDN it looked “personalized”, with some IDs…

Disabling the badger on that site revealed the page, features of logged in user worked.

Shall I try filing an issue to PrivacyBadger developers or it has happened “by design”?

I’m not sure about Privacy Badger but uBlock will list assets it blocks in the console. So if something innocuous like cdn.discourse.org is blocked you could see it there.

I know @mpalmer was looking at Privacy Badger, no idea why it would decide a cdn had to be blocked.

Here’s the current state of Privacy Badger on meta:

Pasted image849×1047 102 KB

Happened again on internals.rust-lang.org.

The domain in question is cdn-business.discourse.org. Switching it to yellow (block cookies) resolved issue.

Maybe URIs there look too “high-entropy”, as if cdn-business.discourse.org collecting info from all Discourse deployments:

https://cdn-business.discourse.org/stylesheets/desktop_cb86e901615de41fa28188c7ca3d6a4bb805d9d5.css?__ws=internals.rust-lang.org

Can Discourse main page/script detect omissions of it’s assets and show some message like

Some Discourse assets are blocked. Please review your browser settings, in particular NoScript, PrivacyBadger and other ad-blocking or policing addons. Check browser’s Javascript Console. Try another browser. If the problem persists, ask on meta.discourse.org.

Not sure, @mpalmer is the resident Privacy Badger expert… I thought we set whatever policy file PB was looking for on the CDN. If you’d like to research this further and provide details @vi0oss that’d be helpful.

In general, when something goes wrong with Discourse loading process (due to PrivacyBadger, NoScript or another reason), I see the blank page. I think this is not good UX.

I have:

• No JS - Limited nojs Discourse
• Partial JS - blank (or almost blank) page
• Full JS - Fully featured Discourse

I want:

• No JS - Limited nojs Discourse
• Partial JS - Limited nojs Discourse and/or error message explaining what asset could not be loaded (or another problem)
• Full JS - Fully featured Discourse

I don’t care. What I care about is why Privacy Badger doesn’t like our CDN.

For me - having a clean band new Google Chrome profile and installing Privacy Badger does not have any issues for meta:

EDIT:
Also tested in Firefox:

Pasted image449×618 26.6 KB

I also completed the sign up process on internals.rust-lang.org using the same clean Google profile:

Pasted image639×551 41.2 KB

Note that it lists “2 potential trackers”, although they are not blocked.

Be aware that Privacy Badger has no “Clear Settings” or “Reset Settings” option…
… so any adjustments or customisations you make currently cannot be undone in your profile.

Thus the only way to test the experience of other users is to create a clean fresh new Google Chrome profile.

However it’s also worth noting that Privacy Badger now includes heuristic based detection so there might be an event that happens to cause a domain to get flagged.

As far as I know, PrivacyBadger is stateful. It judges the domain “behaviour” based on requests to it and can flip it’s green-yellow-red switch automatically in background based on heuristics.

Maybe to properly reproduce the issue one should try to use (and log in to) multiple independent Discourse deployments.

That’s what I have been testing…

So far the only thing that’s gone yellow is fonts.gstatic.com which occurred when I clicked to play a YouTube video.

Pasted image1630×680 355 KB

EDIT:
And now when clicking to share that YouTube video to G+ a “red” for videos.google.com:

Pasted image500×690 34.9 KB

@vi0oss which Discourse instances do you visit?

• http://internals.rust-lang.org/
• http://users.rust-lang.org/
• http://forum.safenetwork.io/
• https://meta.discourse.org
• https://discourse.redox-os.org/

Something like that. Shall I try to reproduce the issue on purpose?

Usually the first step to solving a problem is reliably reproducing it.
It would be good to get a step-by-step reproduction of the issue.

After a while browsing several (5/6) instances and visiting talk.turtlerockstudios.com I noted the “DNT” indicators:

Pasted image466×637 40.9 KB

• Startred 38.0.6 for Linux, with fresh profile
• Installed PrivacyBadger 1.0.6 to it (in primary browser I have 1.0.5)
• Visited and logged in to https://meta.discourse.org
• Visited http://users.rust-lang.org/
  cdn-business.discourse.org is showed green in PB
• Visited http://internals.rust-lang.org/
• Tried logging in to internals.rust-lang.org (forgot which password I should use)
• Tried logging in to internals.rust-lang.org using Github - not authorized
• Followed password reset link to internals.rust-lang.org
• Followed password reset link to users.rust-lang.org
  So far cdn-business is green
• Visited https://discourse.redox-os.org/
• Visited http://forum.safenetwork.io/
• Logged in to http://forum.safenetwork.io/

The domain remained green.

• Opened Discourse (software) - Wikipedia and clicked some links:

• http://discourse.ubuntu.com/
  Red domain: avatars.discourse.org. The site works.

• https://discuss.atom.io/
  Red domain: cdn-business.discourse.org. The site fails

• SitePoint Forums | Web Development & Design Community
  Yellow domain: cdn.discourse.org. The site works.

• Visited http://users.rust-lang.org/ again: blank page (cdn-business now blacklisted).

No manual interactions with PrivacyBadger’s UI apart from opening it’s window, hovering there and inspecting settings was performed.