I shall don my asbestos undergarments and wade in…
3 Likes
Getting another report of this on Twitter:
Apparently “everyone’s Privacy Badger will behave differently, based on what sites you’ve visited in the past” – can you elaborate on this @riking?
Yep. Basically every time you visit a Cloudflare site, the heuristic sees “it’s sending/setting a long random cookie to a domain 3rd-party vs the page, that’s suspicious.” After a few visits, it transitions to red.
The fix would be to have special handling for __cfuuid, e.g. locking just that cookie to the yellow area.
4 Likes
Is McNeel using CloudFlare? I didn’t think they were. We definitely don’t use it, except for the main website and blog. So why is cdn-enterprise.discourse.org – which has zilch to do with CloudFlare – getting tarred with this particular brush?
They’re not using it anywhere I can see. I’ve also confirmed that there’s no cookies coming back on cdn-enterprise.discourse.org. I’m sticking with “Privacy Badger is… complicated”, and leaving this bug report here: https://github.com/EFForg/privacybadgerfirefox-legacy/issues/490
3 Likes
Oh, right. Hmmm… the v parameter maybe? That’d be a real pain if that’s what’s tripping it.
Here’s one of the relevant source files from last time I was investigating this stuff:
https://github.com/EFForg/privacybadgerfirefox-legacy/blob/master/lib/heuristicBlocker.js#L23
1 Like
Since apparently the “legacy” issues aren’t being watched any more, I’ve just created https://github.com/EFForg/privacybadger/issues/1121 to hopefully get some insight on this from the PB dev team.
4 Likes
I see it happening again with the avatars host:
Took me a while to realize it was PB.
1 Like