login.wikimedia.org
is manually set to green (as required to log in at all), SUL works fine for projects that use language codes as subdomains; cookies for such projects are cross-domain and are not detected by Privacy Badger's exact domain matching. However, Wikimedia Commons (commons.wikimedia.org
) and Wikispecies (species.wikimedia.org
) still have their cookies blocked. Since there is no plan to implement a "green whitelist," this needs to be resolved by tech evangelism to make the WMF post the appropriate DNT policy on login.wikimedia.org
and multilingual projects. Compare ticket #178 for the Chrome version (resolved by multiDomainFirstParties.js)i.i.cbsi.com
(used e.g. for images on CNET Download pages)s3.amazonaws.com
(KISSinsights tracking[?] script in the bucket named ki.js
triggers red because of cookies it sets?) (https://www.eff.org/files/cookieblocklist.txt
contains an entry for "amazonaws.com
"; perhaps this isn't actually matching subdomains, despite the syntax borrowed from ABP?) - this may also be affecting https://onpoint.wbur.org
(https optional, no existing HTTPS-E ruleset) as mentioned at GitHub issue 461 - known issue: discussion specifically about Amazon S3 at #482; root cause described at #516assets.zendesk.com
(TODO: describe)imgs.xkcd.com
, sslimgs.xkcd.com
(hover over the link on https://imgur.com/gallery/5ZP7VNX/comment/248761942; very likely because of existing Google Analytics cookies set from xkcd pages; don't whitelist the 2ld xkcd.com because dynamic.xkcd.com has been used for tracking scripts on some third-party sites like the store [strictly, it would only become 3rd party after store.xkcd.com
is rewritten by HTTPS Everywhere to store-xkcd-com.myshopify.com
])inkoutbreak.com
(Formerly seen on http://www.selkiecomic.com/; offending cookie is PHPSESSID
)wwwimages2.adobe.com
(seen on https://typekit.com/; it isn't a problem on other Adobe sites, where it is considered first party)vine.co
, mtc.cdn.vine.co
, v.cdn.vine.co
, platform.vine.co
(not normally a problem, but seen at http://cuteoverload.com/2014/07/15/take-us-out-to-the-ballgame-hank/ while that post was on the homepage; note that the Vine video in question is framed inside http://wpcomwidgets.com/
; there appear to be POST requests involved [according to the warning message from Firefox when Privacy Badger setting changes trigger a reload], but they don't seem essential. I couldn't find any existing cookies from vine.co stored on my system.)www.speedtest.net
(seen on https://secure.dd-wrt.com/phpBB2/viewtopic.php?t=151293
; probably affects other forums as well; offending cookie is probably stnetsid
)calendar.google.com
(only affects images?)(www.)pouet.net
(iframe seen on http://www.chiptune.com/
; probably a session-cookie issue) [obsolete?]i.dailymail.co.uk
(e.g. hotlinked image on http://shmups.system11.org/viewtopic.php?p=1053146#p1053146
)code.google.com
(see image in the entry currently on http://www.zophar.net/ that points to http://www.zophar.net/forums/showthread.php?t=17387
; I thought there was a cookieblocklist.txt entry for *.google.com? Same bug affecting Amazon S3?)www.bing.com
(on http://www.msn.com/?ocid=mailsignout
; not tested exactly what this affects, as the Bing search bar still shows up fine either way)www.scribd.com
(seen on http://www.theverge.com/2014/10/3/6414949/911-call-failures-fcc
)kasperskycontenthub.com
(seen on https://threatpost.com/
)www.ohloh.net
(Formerly seen on http://gmic.eu/
) - admittedly debatable whether this is falsecimg.sourceforge.net
(specific subdomain seen on http://gmic.eu/
, but possibly affects all SourceForge subdomains)www.slideshare.net
(seen on http://www.christopherjhopkins.com/links/conferences
); note that stats.slideshare.net
should remain blocked, so don't put the 2-level domain slideshare.net
on the cookieblocklistwww.kickstarter.com
(for widget frames)i.gyazo.com
(seen on http://jul.rustedlogic.net/thread.php?pid=439215#439215
; no longer uses CloudFlare - needs retesting)developer.android.com
(on https://syncthing.net/
)html5-player.libsyn.com
, assets.libsyn.com
, ssl-static.libsyn.com
(seen on http://clientsfromhell.net/
; specific post needs diagnosis)sites.google.com
(seen on http://gendev.spritesmind.net/forum/viewtopic.php?p=25014#25014
; more examples certainly exist)www.ign.com
(seen on http://forums.nesdev.com/viewtopic.php?p=147540#p147540
)netdna-ssl.com
subdomains on multiple domains (too many to list) - known issue (#484)free.timeanddate.com
, freesecure.timeanddate.com
(on multiple pages in http://www.sandman.com
, todo find other examples)static.giantbomb.com
(seen on http://forums.nesdev.com/viewtopic.php?p=149303#p149303
)fc2.com
subdomains, specifically those used for blog images (seen on http://forums.nesdev.com/viewtopic.php?p=138020#p138020
)i.telegraph.co.uk
(seen somewhere in http://shmups.system11.org/viewtopic.php?f=3&t=44108&start=390
; offending cookie probably set from some user-visible page on www.telegraph.co.uk)duckduckgo.com
(used for a search box on all(?) pages of boingboing.net
; probably due to user preference cookies?)v.theonion.com
(video content on some pages of www.clickhole.com
)postimg.org
subdomains (somewhere in http://tasvideos.org/forum/viewtopic.php?t=16969&postdays=0&postorder=asc&start=75
- probably due to CloudFlare cookies)imasdk.googleapis.com
- breaks videos on www.cbsnews.com (requires Flash)adobeid-na1.services.adobe.com
- Recommended action: Tech evangelism and/or documentation; add to cookieblocklist anyway in meantime - (yellow is enough to make the https://typekit.com/
homepage display correctly, but green is needed to actually be able to log in)fonts.cbsi.com
- Recommended action: None - (script that only controls webfonts; used e.g. on all pages of http://www.gamespot.com
; the problem is that it returns 403 when set to yellow, probably due to referer checks. I'm okay not taking any action on this, as EFF/Tor developers tend to consider webfont issues not worth the security/privacy risks to fix, either within Privacy Badger or HTTPS Everywhere.)tcrf.net
- Recommended action: Define a syntax that allows a 2-level domain to be listed without affecting its subdomains; add to cookieblocklist anyway in meantime - (discussion; the same issue applies to every site that runs MediaWiki software and does not forbid hotlinking, as mentioned above for Wikipedia; barring tech evangelism to a large number of sites, it could require fundamental changes to the entropy estimator or other functionality); note that stats.tcrf.net
is used on the jul.rustedlogic.net
forum and should remain blockedResolved |
---|
|
In principle, Privacy Badger is just as vulnerable to false notices as is LibreJS. (The "notice" is EFF's proposed DNT policy. I have no further comment at present.)
Categories: Noindexed pages