selfoss icon indicating copy to clipboard operation
selfoss copied to clipboard

Published 20 hours ago verified publisher icon fossar

Anonymizer breaks fancy-box

Open mcnesium opened this issue 10 years ago • 8 comments

When using an anonymizer, links to embedded images are anonymized, too. Since fancy-box is doing an ajax request for the image, it gets confused by the server-side forwarding of the anonymizer.

mcnesium avatar Jan 15 '15 11:01 mcnesium

Looks like Fancybox 3 does not have this issue. Just tested this in the devtools with adding http://nullrefer.com/? to the href entry of an image on the Fancybox example page.

Can we update this? :)

mcnesium avatar Nov 29 '17 10:11 mcnesium

We are already using fancybox 3 in master. Could you try it out?

jtojnar avatar Nov 29 '17 10:11 jtojnar

Okay sorry. I just did an npm upgrade and now run fancybox v3.2.5 here as well.

Still, a linked image will not show, instead the default fancybox error message is being displayed:

The requested content can not be loaded. Please try again later

So to explain my research: the old fancybox page runs v2.1.7 and when I edit one of the image links and add https://nullrefer.com/?http… to it in the devtools, the error message above appears.

But on the new fancybox page this does not happen. Instead, the expected image pops up.

I don't know whether this is a fancybox or a selfoss issue

mcnesium avatar Nov 29 '17 14:11 mcnesium

I see the error even on the new demo site. Did you by chance not update the URLs in srcset attribute?

Actually, the issue is that nullrefer.com does client-side redirect using JavaScript, which is why it does not work – the browser receives a HTML page instead of an image. You would need to use an anonymizer that does server side redirects.

By the way, you do not need an anonymiser to prevent referrer leak. Since 2.15 (#741), we use a meta tag that prevents sending referrer. Check the browser support at https://caniuse.com/#feat=referrer-policy

jtojnar avatar Nov 29 '17 14:11 jtojnar

ok, what about https://nullrefer.mcnesium.com/? which is just this PHP script:

<?php header('Refresh: 0;URL="'.$_SERVER['QUERY_STRING'].'"'); ?>

While I was writing this, I doublechecked and found that it does not work either with my own nullreferer. Also, the fancybox developer replied in the referenced issue that it just "doesn't work" :(

So I guess there are no anonymized images for all of us.

mcnesium avatar Nov 29 '17 15:11 mcnesium

Refresh header is weird and will not work with inline resources (images). You can use Location header instead.

But note that just like nullrefer, this is not anonymization (hiding the IP address of your browser). The only effect this will have is hiding the referer, which is already done better by the meta referrer tag.

jtojnar avatar Nov 29 '17 15:11 jtojnar

Sure I know that this not being proxied or anything, I just don't want every webserver admin to know where I host my selfoss. Yet, I was not aware of the meta referrer tag and that it's already included in selfoss. A quick check with whatismyreferer.com indicates that it seems to work. So is the anonymizer feature obsolete?

mcnesium avatar Nov 30 '17 12:11 mcnesium

Yes, it is obsolete. Unless, you really want to use it as a proxy to hide your identity – but that was never reliable.

jtojnar avatar Nov 30 '17 16:11 jtojnar