Discourse CDNs are blocked by privacy badger

I shall don my asbestos undergarments and wade in…

3 Likes

Getting another report of this on Twitter:

Apparently “everyone’s Privacy Badger will behave differently, based on what sites you’ve visited in the past” – can you elaborate on this @riking?

Yep. Basically every time you visit a Cloudflare site, the heuristic sees “it’s sending/setting a long random cookie to a domain 3rd-party vs the page, that’s suspicious.” After a few visits, it transitions to red.

The fix would be to have special handling for __cfuuid, e.g. locking just that cookie to the yellow area.

4 Likes

Is McNeel using CloudFlare? I didn’t think they were. We definitely don’t use it, except for the main website and blog. So why is cdn-enterprise.discourse.org – which has zilch to do with CloudFlare – getting tarred with this particular brush?

They’re not using it anywhere I can see. I’ve also confirmed that there’s no cookies coming back on cdn-enterprise.discourse.org. I’m sticking with “Privacy Badger is… complicated”, and leaving this bug report here: https://github.com/EFForg/privacybadgerfirefox-legacy/issues/490

3 Likes

Oh, right. Hmmm… the v parameter maybe? That’d be a real pain if that’s what’s tripping it.

Here’s one of the relevant source files from last time I was investigating this stuff:

https://github.com/EFForg/privacybadgerfirefox-legacy/blob/master/lib/heuristicBlocker.js#L23

1 Like

Since apparently the “legacy” issues aren’t being watched any more, I’ve just created https://github.com/EFForg/privacybadger/issues/1121 to hopefully get some insight on this from the PB dev team.

4 Likes

I see it happening again with the avatars host:

Took me a while to realize it was PB.

1 Like