Admins please disable referrer sending

liqj8gto · 4 February 2021 10:17

there may be a way to get around this without disabling all embedded videos. i would have to check out the details, but as long as the videos are not embedded using youtube’s embedding template thing (because i’m assuming it loads client side tracking scripts or does similar datamining fuckery) it should be fine. that’s something that can be investigated more, but changing the referrer policy has absolutely no downside and should really just be done now. that way at least the issue is mitigated for conventional links.

edit: it occurred to me that if <video> tags work on discourse you can probably do the embedding through an invidious instance or even just linking directly against the googlevideo url instead of the youtube embed. btw i did also check what gets loaded when you do a normal embed and i was right, tons of tracking scripts get pulled in (it doesn’t even seem to use the referrer header but that also might just be my browser config). i’ll have to poke around when i have more time, because i don’t actually know how discourse works in this aspect.

edit2: for now, if anyone reading this absolutely must embed videos, make sure you click the “enable privacy enhanced mode” box in the youtube share/embed thing. or, alternatively, just change the url in the html you paste in to use “youtube-nocookie” instead of “youtube”. i don’t know how much this actually does, but it will at the very least prevent simple page loads from phoning home. how much data gets leaked by actually loading/playing the video is anyone’s guess.

douteiful · 5 April 2021 16:48

I don’t get why robots.txt is set up so this website doesn’t appear in Google Search Results but we’re just fine with sending referrers everywhere.

https://bfforums.com/robots.txt

# Googlebot must be allowed to index so it can remove items from the index
# we return the X-Robots-Tag with noindex, nofollow which will ensure
# indexing is minimized and nothing shows up in Google search results

Q · 5 April 2021 21:10

I’ll adjust some stuff in the next few days or so.

Q · 20 April 2021 09:09

This should be working now. If embedded videos are ever a problem we can look into that later too, although I’d rather not disable them if possible.

douteiful · 21 February 2022 03:05

Another vtuber got to know about us through statistics. It doesn’t seem to be fixed yet. My headers show:

referrer-policy: strict-origin-when-cross-origin

It should be same-origin…!

Q · 21 February 2022 22:01

I think it’s still working. What do you see if you click this? https://whatsmyreferer.com/

douteiful · 22 February 2022 04:41

Indeed it apparently works. I’ll test here:

https://www.whatismybrowser.com/detect/what-http-headers-is-my-browser-sending

EDIT: Indeed it’s not sending them at all. Might it be older browsers that don’t respect the policy?

Q · 22 February 2022 11:32

I’m guessing they’re finding us in the statistics from when people play embedded videos. Videos have been kind of glitchy on discourse lately so I’m not entirely opposed to turning them off. I’ll make a poll and see what people think.