privacybadger icon indicating copy to clipboard operation
privacybadger copied to clipboard

Published 20 hours ago verified publisher icon EFForg

Option to remove metadata from URL

Open intchloe opened this issue 8 years ago • 7 comments

Read more: https://medium.com/@jeremyrubin/caution-copy-pasting-urls-from-google-search-can-leak-previous-searches-11940508e79

Some URLs have metadata in them and when sharing them they can leak sensitive data. 3 exemples:

  1. https://www.google.se/search?q=%221%22&gws_rd=cr&ei=d4VDVtTeOeK_ygOcgoioCQ#safe=off&q=%222%22
  2. http://www.imdb.com/name/nm0147147/?ref_=nv_sr_1
  3. https://www.youtube.com/watch?v=mHSaHRd4Q48&feature=youtu.be

If you search from the address bar in Chrome and then search again on Google your old search is still in the URL as metadata!

Imdb also have metadata, in my example I searched(nv_sr = navigate searchbar)

If you click on a youtu.be-link the full link will tell you so(&feature=youtu.be)

There are more examples of course. I think this would be a great feature in Privacy Badger. The best option would be to rewrite the URL even before you visit it because then would none see the metadata, not the server, someone behind you nor the person you're sharing the link to.

Regards, Chloe

intchloe avatar Nov 11 '15 18:11 intchloe

I understand the issue, but don't understand the enhancement request. Are you proposing that PB have the ability to change the URL before it is sent? What does that have to do with trackers? Are additional trackers the result of this type of URL? Thanks.

KidPluto avatar Dec 13 '16 22:12 KidPluto

Related: #85

ghostwords avatar Apr 18 '17 21:04 ghostwords

Up, I'm really interested by this. :)

I personally use au-revoir-utm to remove utm data and it works pretty well, but I'm interested by having only one privacy add-on.

I found recent merge-requests about anti link-tracking, like #2016, but AFAIU this doesn't remove utm data.

roipoussiere avatar May 31 '18 11:05 roipoussiere

I think stripping UTM parameters in particular would be an easy win. They're widely used, and afaik exclusively used for tracking. @roipoussiere if you're interested in working on a PR for this feature, I'll review it. Otherwise I'll get to it after catching up on some other backlogged stuff.

bcyphers avatar Jul 08 '18 21:07 bcyphers

I want to start working on this, building off au-revoir-utm, but we'll have to watch out for conflicts with HTTPS Everywhere and other url-rewriting extensions (https://github.com/jparise/chrome-utm-stripper/issues/13).

This is a problem with browsers in general; webextensions should really allow multiple extensions to rewrite the same URL in sequence. Since they don't, we need to work around the conflicts, especially since there's a lot of overlap between ours and HTTPSE's users. We have a few options:

  1. Short-term: only rewrite requests that are already https. This should avoid almost all dangerous conflicts with HTTPSE (thanks, @ghostwords).

  2. Mid-term: Rewrite static links on web pages using techniques like #2016. This will avoid the conflicts altogether, but might add significant performance overhead to some sites and won't catch all requests.

  3. Long-term: merge EFF's two browser extensions into one! I can't imagine there are a lot of PB users who would opt-out of having HTTPSE functionality built in. The other way around might be different, but we can make it easy for users to opt out of Privacy Badger's blocking if they want to. Having a single code base would allow us to avoid issues like these, and avoid duplicating problems like https://github.com/EFForg/https-everywhere/issues/16377. I'll be opening a separate issue for this so we can discuss it more.

bcyphers avatar Sep 05 '18 20:09 bcyphers

Brave has a query string filter: https://github.com/brave/brave-browser/wiki/Query-String-Filter

ghostwords avatar Jun 10 '20 16:06 ghostwords

ClearURLs / recent HN thread

ghostwords avatar Jun 17 '21 17:06 ghostwords