
Sourcebuster.js - ddispaltro
http://sbjs.rocks/#/
======
um_ya
Piggy backing off of this post. I'd like to take the opportunity to remind
people of the security hazards of referrer addresses and keeping sensitive
information out of your query parameters. __If you have third party images or
third party links on your site, sensitive user information is leaked through
the referrer address __if the data is in your GET parameters. If you have an
OAuth scheme, double check to make sure you don 't have external links or
third party images in your login/redirect/authentication process. Sensitive
information should ALWAYS be sent via POST request and your referer policy
should be set appropriately. Read more here:
[https://developer.mozilla.org/en-
US/docs/Web/Security/Refere...](https://developer.mozilla.org/en-
US/docs/Web/Security/Referer_header:_privacy_and_security_concerns)

------
_threads
I just love it when I enter a store and someone who followed me go tell the
seller all the shops I visited, what I shopped, for how long, what I searched
and what I read

We have to stop this non-sense, and stop calling this « innovation »

~~~
spiderfarmer
This absolutely doesn’t do that though.

~~~
oliwarner
No, this _absolutely does_ form part of the marketing loop.

Profiling visitors based on their referrer to —quoting TFA— "show relevant
content" is exactly this sort of creepy nonsense that leads to you (store
owner) knowing where I do my research and being able to infer more about me
than I've explicitly told you.

~~~
spiderfarmer
To me just using referral data is not creepy at all. All this script does is
keep track of where people are coming from. It's not using questionable
tricks, it's not building profiles and it's not combining or using other data.
All it know is you're an anonymous visitor that came through source X.

~~~
oliwarner
Just using it for what?

We're arguing slightly different things. Sure, _guns don 't kill people_.
Referrer as an aggregate statistic, on its own is pretty harmless. _This_
script doesn't even phone home on its own.

But it's what you do with that data. How you collect it. What you collect with
it. How you aggregate, or infer from it. Modern sales funnelling and marketing
is all sold around targeting users. That's what this all feeds into.

~~~
spiderfarmer
Referrer data has a lot of non-shady uses and it is really useful. That's why
we have GDPR, so we can use referrer data as intended by preventing people
from combining data.

Also, I don't think you can equate this with guns.

Try equating it with metal. Yes, you can make it into a gun, but you need to
have lot of different things in place before you can use it to do harm.

Referrer data is completely anonymous. If you want to combine it into a
profile, you need layers and layers of complexity and other data before you
have something you can use it to target users based on their interests. With
GDPR, this is illegal without consent anyway so I think you're overreacting.

------
EmilStenstrom
To be clear, this "buster" isn't breaking any browser boundaries. It just uses
whatever referer header the page gets from the browser.

~~~
mbell
Looks like it also parses UTM params but yea, it's not doing anything special
or nefarious.

------
chimen
I don't get the point of this in a client script. What does it do that can't
be done server side with the http headers? Maybe it can be useful inside SPAs
but this sort of info should be immutable and read only which is next to
impossible on front facing apps.

~~~
buremba
You can still emulate the Referer header in order to trick the server side.
It's easier to do this on the client side in order to avoid complexity on
server-side because the servers need to be aware of all the browsers used by
the client.

~~~
chimen
Makes no sense. What complexity are you talking about? You get that info on
the client to create another request to the server in order to send it over?

~~~
buremba
Unless you're only tracking the pageview events, it's not an additional
request. Most of the analytics SDKs use either XHR or Pixel tracking. It's
often easier to build up a separate analytics pipeline rather than using the
backend server logs.

------
rocky1138
I've been looking at the Chameleon extension recently. Anyone have any
experience with it? Apparently it spoofs a ton of stuff to make tracking
harder.

------
z3t4
Hmm. I thought browsers stopped giving out referrer years ago ... !?

~~~
mbell
There are options to control the referrer in various places, but it is still
included by default. The only situation I can think of where its blocked by
default is when navigating from https to http.

~~~
lixtra
Which seems to happen here:
[https://news.ycombinator.com/item?id=19295836](https://news.ycombinator.com/item?id=19295836)
-> [http://sbjs.rocks/#/](http://sbjs.rocks/#/)

------
ykevinator
I clicked the link through feedly but it said my source was direct

~~~
bleys_
Because you went from a https site to a non secure one
([http://sbjs.rocks](http://sbjs.rocks)) so the referer header was hidden.

See:
[https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding](https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding)

~~~
tw1010
I did the same but it worked for me (said hn), why didn't it work for the
parent but it did for me?

~~~
shroom
Same for me and I’m curious why (Safari on iPhone)

~~~
dperfect
I believe it's due to HN including this:

    
    
      <meta name="referrer" content="origin">

------
oliwarner
This seems pretty fragile. I visited first from Feedly and then from HN and
both times it counted my visit as "direct" (ie no referrer).

Or is this just Firefox kicking ass?

------
wink
Your source is: direct visit.

No, I clicked a link from 2 different domains (my rss reader and here) - so
that means my browser privacy addons work? :)

------
baroffoos
For a while I had referrers turned off in firefox almost everything still
works but it did set off a few anti bot scripts on larger websites.

------
jonahx
Anyone know why chrome does not have an option to turn off the Referer header
globally?

~~~
robinduckett
Because many websites will get upset if you don't have your referrer available
to track you /shrug

