AFFiNE icon indicating copy to clipboard operation
AFFiNE copied to clipboard
verified publisher icon toeverything

[Bug]: Telemetry always enabled for anonymous viewers

Open Hamcha opened this issue 6 months ago • 4 comments

What happened?

When sharing a page with "Everyone who has the link" and viewing it from logged out, the browser is constantly hammering 5 requests every 5 seconds, including a request to https://telemetry.affine.run/track/ with encoded data with tons of information about the user agent including a ID and other very fingerprintable info. I don't see how this could be legal without an opt-out (I'm in the EU so this feels like it could fall under GDPR rules) and why in general you can only opt out from a logged in instance and not the guest one!

The other requests similarly look like a bug, as the browser keeps requesting getDocRolePermissions and getWorkspaceInfo forever and the server keeps basically replying "you aren't logged in, dummy!"

Distribution version

Web (https://app.affine.pro)

App Version

0.22.4

What browsers are you seeing the problem on if you're using web version?

Chrome

Are you self-hosting?

  • [x] Yes

Self-hosting Version

0.22.4

Relevant log output

Anything else?

No response

Hamcha avatar Jun 15 '25 09:06 Hamcha

Issue Status: 🆕 *Untriaged

*🆕 Untriaged

The team has not yet reviewed the issue. We usually do it within one business day. Docs: https://github.com/toeverything/AFFiNE/blob/canary/docs/issue-triaging.md

This is an automatic reply by the bot.

affine-issue-bot[bot] avatar Jun 15 '25 09:06 affine-issue-bot[bot]

I had described in #12497 a possible solution. Per legal requirements almost worldwide this really needs to be opt-in, not opt-out.

riccardoangius avatar Jul 04 '25 12:07 riccardoangius

I found the same issue, the Opt out is per browser, and even user disable telemetry, it still sends the requests.

I think the team is not treat privacy seriously, which really disappointing.

I am using docker compose to deploy for as my toy project, but if you want, here is my fix (credit to LLM)

  affine:
    image: ghcr.io/toeverything/affine:stable

    # replace .affine.run to .wingu.se before container start
    # I have my "own" website which will deal with this telemetry and return `1` with HTTP 200 and do nothing
    entrypoint: >
      sh -c "find /app/static/js -type f -name '*.js' -exec sed -i 's/\.affine\.run/\.wingu\.se/g' {} + &&
             exec node ./dist/main.js"

    labels:
      - "traefik.enable=true"
      
      # Middleware for CSP header to block 3rd site requests just in case
      - "traefik.http.middlewares.affine-cspheader.headers.customResponseHeaders.Content-Security-Policy=default-src 'none'; script-src 'unsafe-eval' 'self' https://*.wingu.se; style-src 'self' 'unsafe-inline' https://*.wingu.se; img-src 'self' https://*.wingu.se data:; font-src 'self' https://*.wingu.se; connect-src 'self' https://*.wingu.se; frame-src 'self' https://*.wingu.se; manifest-src 'self' https://*.wingu.se;"
      # Attach middleware to router
      - "traefik.http.routers.affine.middlewares=affine-cspheader@docker"

winguse avatar Aug 13 '25 04:08 winguse