

Show HN: PixelBlock – A Gmail extension that blocks email tracking - ramoq
https://chrome.google.com/webstore/detail/pixelblock/jmpmfcjnflbcoidlgapblgpgbilinlem

======
claudiusd
Chrome plugins pose a HUGE security problem. This one, for example, gets
access to your GMail account. Do you want that? What else could this plugin do
since it can read your email? Do you trust the author not to steal your GMail
cookie?

Are you installing this at work? What kind of trade secrets could you
potentially leak? And how does it affect your corporate compliance
requirements? If your email is subject to HIPAA regulation, then you may be
leaking protected health information. That's pretty bad.

I, for one, rarely install plugins. I've written plugins for my own amusement
that can do some very bad things, and it's just too easy. Think twice people.

~~~
thrownaway2424
I really really really want a better security model for chrome extensions. As
an example, I'd be happy to install this extension if it didn't "have access
to" my gmail content, but was somehow able to add DOM matching and mutating
callbacks that were run under Gmail. The matching part would be under my
control and couldn't be updated by the extension. For example I'd be happy to
let this extension mutate any img tag. I'm sure you can find a million holes
in this idea, but it would be better than what we have today.

~~~
alooPotato
Maybe if the permission was something like "Let this extension read and mutate
stuff on the page but don't let it make any ajax requests". Would that be
sufficient?

~~~
joshuacc
Not the person you were responding to, but this could be easily worked around
by sticking `img` tags into the page with urls that are crafted to share
information.

------
hughes
I'm wary of installing an extension that can access my data in gmail. Is the
source code available anywhere?

Edit1: Found a chrome extension that lets me view the source code of chrome
extensions[1]

Edit2: The inclusion of bootstrap.css is changing the appearance of some
things, namely the "show original" message view. It also doesn't seem to
detect the tracking image included by yesware

Edit3: Could I break this by adding "safe-img" somewhere in my tracking pixel
url?

[1] [https://chrome.google.com/webstore/detail/chrome-
extension-s...](https://chrome.google.com/webstore/detail/chrome-extension-
source-v/jifpbeccnghkjeaalbbjmodiffmgedin/)

~~~
ramoq
I understand your concern, but chrome extensions for gmail are widely used
even across business/enterprise.

If it's any consolidation, I do not store/scan/save any data. It just blocks
images that people are using to invade your privacy (ie track your email
opens).

p.s. There is no oauth access required for this extension/app.

------
Kiro
Does this even work considering Gmail pre-fetches all the images nowadays?

~~~
ramoq
Author here, yes it does. Meaning, email tracking still works regardless of
gmail pre-fetching. But accuracy may be slightly off

I'll add this as well, several companies have built products just to allow
people to do email tracking in Gmail (boomerang, signals, streak, banana tag).
So yes it does work

[Edited x 2]

~~~
Navarr
I think what he meant is - does TRACKING even work since google now pre-
fetches images.

~~~
ChristianBundy
I'm not the author, but tracking doesn't work at all – this extension is 100%
redundant.

~~~
alelefant
Tracking still works. Tracking _multiple_ opens doesn't work since Gmail will
cache the image, but the first load of the image can still be tracked.

------
alooPotato
Another potential solution to block 'read receipts' is to turn off image
loading by default. Its not ideal - because you don't know what images will
load until you load them so you may be tempted to load images when you think
there may actually be some image content there.

The benefit of this approach is that all marketing email won't be tracked as
well.

disclosure: i'm a co-founder at Streak and we offer read receipts for gmail.

~~~
ramoq
Hi Aleem! This is Omar from Waterloo (your co-founder's friend). Big fan of
you guys and what you've done with Streak. Contrary to some of the comments,
some chrome extensions inside of gmail are very very very useful. Streak is
definitely one of those

------
timl88
Here is an article explaining gmail new caching of images.
[http://blog.mailchimp.com/how-gmails-image-caching-
affects-o...](http://blog.mailchimp.com/how-gmails-image-caching-affects-o..).

Tracking still works and this extension is useful as long as you trust the
author.

------
mooij
When I wrote email tracking software about 7 years ago, I dropped the 1x1
pixel, because of spam filters tripping over them. I just used any image in
the email to track you and assigned it an unique URL. How do you propose
catching that one?

~~~
ramoq
At the moment I just scan for the most commonly known sources of tracking and
then things that seem to be tracker images. The logic is quite simple,
definitely can be improved to pick up a lot more tracking sources. But for now
it works quite well :)

------
sophsterq
Personally, I find this very simple and useful. Great Job!

------
kretor
Why?

~~~
ramoq
I prefer not letting people know I'm reading their emails. It's a privacy
thing :)

