[Privoxy-commits] [privoxy] 01/04: Prevent a fingerprinting issue with various login pages

User Git git at git.privoxy.org
Sun Jun 22 11:32:37 CEST 2025 

This is an automated email from the git hooks/post-receive script.

git pushed a commit to branch master
in repository privoxy.

commit 93931583124eb045524d584fdfb964a0fcf32037
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Fri Jun 20 05:31:06 2025 +0200

    Prevent a fingerprinting issue with various login pages
    
    ... by not handling the requests as image requests
    or fast-redirecting them.
    
    Without the added section a request to a blocked or
    redirected login URL could be misdetected by third
    parties as the user being logged in to the given site,
    thus making fingerprinting Privoxy users easier.
    
    Note that this does not prevent the fingerprinting issue
    if the client is actually logged in. For details see:
    https://robinlinus.github.io/socialmedia-leak/
    
    Doing that would probably be too invasive for a default
    configuration.
---
 default.action.master | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)

diff --git a/default.action.master b/default.action.master
index f06391fa..c5e1b539 100644
--- a/default.action.master
+++ b/default.action.master
@@ -2737,6 +2737,89 @@ config.privoxy.org/
 # URL = http://www.flickr.com/
 .flickr.com/
 
+# Without this section a request to a blocked or redirected
+# login URL could be misdetected by third parties as the
+# user being logged in to the given site, thus making
+# fingerprinting Privoxy users easier.
+#
+# Note that this does not prevent the fingerprinting issue
+# if the client is actually logged in. For details see:
+# https://robinlinus.github.io/socialmedia-leak/
+{-client-header-tagger{image-requests} \
+ -fast-redirects \
+ -handle-as-image \
+}
+# Sticky Actions = -client-header-tagger{image-requests} -fast-redirects -handle-as-image
+# URL = https://squareup.com/login?return_to=%2Ffavicon.ico
+squareup.com/login\?
+# URL = https://twitter.com/login?redirect_after_login=%2f..%2ffavicon.ico
+twitter.com/login\?
+# URL = https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico%3F_rdr%3Dp
+www.facebook.com/login.php\?
+# URL = https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.google.com%2Ffavicon.ico&uilel=3&hl=en&service=mail
+# URL = https://accounts.google.com/ServiceLogin?passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Ffavicon.ico&uilel=3&hl=en&service=youtube
+# URL = https://accounts.google.com/ServiceLogin?service=blogger&hl=de&passive=1209600&continue=https://www.blogger.com/favicon.ico
+accounts.google.com/ServiceLogin\?
+# URL = https://plus.google.com/up/accounts/upgrade/?continue=https://plus.google.com/favicon.ico
+plus.google.com/up/accounts/upgrade/\?
+# URL = https://login.skype.com/login?message=signin_continue&redirect_uri=https%3A%2F%2Fsecure.skype.com%2Ffavicon.ico
+login.skype.com/login\?
+# URL = https://www.spotify.com/en/login/?forward_url=https%3A%2F%2Fwww.spotify.com%2Ffavicon.ico
+# URL = http://www.spotify.com/login/?forward_url=https%3A%2F%2Fwww.spotify.com%2Ffavicon.ico
+www.spotify.com/[^/]+/login/\?
+www.spotify.com/login/\?
+# URL = https://www.reddit.com/login?dest=https%3A%2F%2Fwww.reddit.com%2Ffavicon.ico
+# URL = https://www.reddit.com/login/?dest=https%3A%2F%2Fwww.reddit.com%2Ffavicon.ico
+www.reddit.com/login
+# URL = https://www.tumblr.com/login?redirect_to=%2Ffavicon.ico
+www.tumblr.com/login\?
+# URL = https://www.expedia.de/user/login?ckoflag=0&selc=0&uurl=qscr%3Dreds%26rurl%3D%252Ffavicon.ico
+www.expedia.de/user/login\?
+# URL = https://www.dropbox.com/login?cont=https%3A%2F%2Fwww.dropbox.com%2Fstatic%2Fimages%2Fabout%2Fdropbox_logo_glyph_2015.svg
+www.dropbox.com/login\?
+# URL = https://www.amazon.com/ap/signin/178-4417027-1316064?_encoding=UTF8&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=10000000&openid.return_to=https%3A%2F%2Fwww.amazon.com [...]
+www.amazon.com/ap/signin/
+# URL = https://www.pinterest.com/login/?next=https%3A%2F%2Fwww.pinterest.com%2Ffavicon.ico
+www.pinterest.com/login/
+# URL = https://de.foursquare.com/login?continue=%2Ffavicon.ico
+de.foursquare.com/login\?
+# URL = https://eu.battle.net/login/de/index?ref=http://eu.battle.net/favicon.ico
+eu.battle.net/login/
+# URL = https://store.steampowered.com/login/?redir=favicon.ico
+store.steampowered.com/login/
+# URL = https://www.academia.edu/login?cp=/favicon.ico&cs=www
+www.academia.edu/login\?
+# URL = https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Ffavicon.ico%3Fid%3D1
+github.com/login\?
+# URL = https://medium.com/m/signin?redirect=https%3A%2F%2Fmedium.com%2Ffavicon.ico&loginType=default
+medium.com/m/signin\?
+# URL = https://news.ycombinator.com/login?goto=y18.gif%23
+news.ycombinator.com/login\?
+# URL = https://carbonmade.com/signin?returnTo=favicon.ico
+carbonmade.com/signin\?
+# URL = https://courses.edx.org/login?next=/favicon.ico
+courses.edx.org/login\?
+# URL = https://slack.com/checkcookie?redir=https%3A%2F%2Fslack.com%2Ffavicon.ico%23
+slack.com/checkcookie\?
+# URL = https://www.khanacademy.org/login?continue=https%3A//www.khanacademy.org/favicon.ico
+www.khanacademy.org/login\?
+# URL = https://www.paypal.com/signin?returnUri=https://t.paypal.com/ts?v=1.0.0
+www.paypal.com/signin\?
+# URL = https://500px.com/login?r=%2Ffavicon.ico
+500px.com/login\?
+# URL = https://www.airbnb.com/login?redirect_params[action]=favicon.ico&redirect_params[controller]=home
+www.airbnb.com/login\?
+# URL = https://disqus.com/profile/login/?next=https%3A%2F%2Fdisqus.com%2Ffavicon.ico
+disqus.com/profile/login/\?
+# URL = https://secure.meetup.com/login/?returnUri=https%3A%2F%2Fwww.meetup.com%2Fimg%2Fajax_loader_trans.gif
+# URL = https://www.meetup.com/login/?returnUri=https%3A%2F%2Fwww.meetup.com%2Fimg%2Fajax_loader_trans.gif
+.meetup.com/login/\?
+# URL = https://bitbucket.org/account/signin/?next=/favicon.ico
+bitbucket.org/account/signin/\?
+# URL = https://secure.indeed.com/account/login?continue=%2ffavicon.ico
+secure.indeed.com/account/login\?
+# URL = https://vk.com/login?u=2&to=ZmF2aWNvbi5pY28-
+vk.com/login\?
 
 #----------------------------------------------------------------------------
 # Sections that modify the action settings based on tags.

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Privoxy-commits mailing list