Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mybinder.org is broken when redirecting to notebooks.gesis.org #2558

Open
bitnik opened this issue Feb 26, 2020 · 5 comments
Open

mybinder.org is broken when redirecting to notebooks.gesis.org #2558

bitnik opened this issue Feb 26, 2020 · 5 comments
Labels
broken site DNT policy EFF's Do Not Track policy: www.eff.org/dnt-policy

Comments

@bitnik
Copy link

bitnik commented Feb 26, 2020

What is your browser and browser version?

Chrome Version 80.0.3987.122 (Official Build) (64-bit)

What is broken and where?

mybinder.org, staging.mybinder.org, example URL: https://staging.mybinder.org/v2/gh/ogrisel/notebooks/mastersss

What is the "culprit" domain?

notebooks.gesis.org

What is your debug output for this domain?

To get the debug output, please see the instructions link above.

**** ACTION_MAP for gesis.org
gesis.org {
  "dnt": false,
  "heuristicAction": "block",
  "nextUpdateTime": 0,
  "userAction": ""
}
notebooks-test.gesis.org {
  "dnt": false,
  "heuristicAction": "",
  "nextUpdateTime": 1565035835885,
  "userAction": "user_cookieblock"
}
notebooks.gesis.org {
  "dnt": false,
  "heuristicAction": "block",
  "nextUpdateTime": 1582943208262,
  "userAction": "user_block"
}
**** SNITCH_MAP for gesis.org
gesis.org [
  "127.0.0.1",
  "0.0.0.0",
  "github.com"
]

https://mybinder.org is a federation of different public BinderHub deployments. It redirects each user to a federation member. Last week we realized that PB is blocking notebooks.gesis.org, which is also a federation member and on notebooks.gesis.org there is no trackers running at all.

Today I was reading this issue and after reading the comment

To follow up on the last comment: if you've had PB installed since before we added the MDFP list, your badger might have learned to block wikimedia domains before that time, and never "un-learned" to block them if you didn't reset Privacy Badger's local storage. We can fix that problem by adding a migration to Privacy Badger's startup procedure, as we have with the yellowlist.

I decided to uninstall PB and install it again and see what happens again. And what happens is that it doesn't block notebooks.gesis.org anymore, which is very good. But we would like to ask you if there is a general fix for this issue, so it is fixed for all users without being have to make a fresh install of PB.

@ghostwords
Copy link
Member

Hello!

Could you provide steps for Privacy Badger learning to block notebooks.gesis.org? I am not sure how this problem happens right now.

I do see that two of the three domains your Privacy Badger saw "tracking" from notebooks.gesis.org on are local addresses. We should probably disable learning when on localhost pages (#817).

This seems similar to #2480 (another federated service).

@bitnik
Copy link
Author

bitnik commented Feb 27, 2020

Hey, thanks a lot!

Could you provide steps for Privacy Badger learning to block notebooks.gesis.org? I am not sure how this problem happens right now.

Before the fresh install of PB, when I visit https://staging.mybinder.org/v2/gh/ogrisel/notebooks/master, PB was blocking notebooks.gesis.org and therefore mybinder.org couldn't redirect to notebooks.gesis.org. After the fresh install notebooks.gesis.org is now just green in PB and redirection happens. (Btw to reproduce this, maybe you should first clear cookies for staging.mybinder.org in your browser, because mybinder.org saves the host, where user is going to be redirected, in a cookie.)

@bitnik
Copy link
Author

bitnik commented Feb 27, 2020

I just realised an important detail: now I see that notebooks.gesis.org is under title "Your Badger hasn't yet learned to block these domains"

@betatim
Copy link

betatim commented Mar 10, 2020

The debug output for gesis.org looks like:

**** ACTION_MAP for gesis.org
gesis.org {
  "userAction": "",
  "dnt": false,
  "heuristicAction": "block",
  "nextUpdateTime": 0
}
notebooks.gesis.org {
  "userAction": "user_block",
  "dnt": false,
  "heuristicAction": "block",
  "nextUpdateTime": 1582572413865
}
**** SNITCH_MAP for gesis.org
gesis.org [
  "binderhub.readthedocs.io",
  "mybinder.org",
  "paddy10tellys.github.io"
]

Right now I don't know how it learnt to block notebooks.gesis.org. Will try to reconstruct this.

Some context on the setup of our federation: a user navigates to mybinder.org and JS loaded from that domain then creates a EventStream to one of a set of sites (gke.mybinder.org, gesis.mybinder.org, ovh.mybinder.org, etc). Most of the sites work. There is one that fails which is when we make a request to gesis.mybinder.org which (unlike the others) gets redirected to notebooks.gesis.org (via a 30x). This means the request starts out as something to a subdomain but then is a cross domain request. I am wondering if this what makes PB block the request.

Is this a case for MDFP? If yes I can make a PR to add mybinder.org and notebooks.gesis.org as part of the same entity. Alternatively is there any way (explicitly not sending cookies or some such, special flag during the redirect, some form of CORS like header) to make the request not trigger the tracking detection?

@ghostwords ghostwords added the DNT policy EFF's Do Not Track policy: www.eff.org/dnt-policy label Mar 10, 2020
@ghostwords
Copy link
Member

Alternatively is there any way (explicitly not sending cookies or some such, special flag during the redirect, some form of CORS like header) to make the request not trigger the tracking detection?

Yes! If notebooks.gesis.org does not actually track users, it may be compliant with the EFF Do Not Track policy. You could then post the DNT policy on the notebooks.gesis.org domain. This will tell Privacy Badgers to always allow resources from notebooks.gesis.org.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
broken site DNT policy EFF's Do Not Track policy: www.eff.org/dnt-policy
Projects
None yet
Development

No branches or pull requests

3 participants