Most active commenters

    ←back to thread

    AAA Gaming on Asahi Linux

    (rosenzweig.io)
    944 points 6a74 | 14 comments | 10 Oct 24 14:16 UTC | HN request time: 0.453s | source | bottom
    Show context
    hentrep ◴[10 Oct 24 19:38 UTC] No.41802660[source]
    I noticed the URL was updated for this post. Previously it linked to asahilinux.org which showed an anti-HN manifesto from the HN referral. Curious as I haven’t seen this before. Seems it has been covered by previous commenters: https://news.ycombinator.com/item?id=36227103
    replies(5): >>41802728 #>>41802899 #>>41803142 #>>41803235 #>>41803470 #
    ginko ◴[10 Oct 24 19:44 UTC] No.41802728[source]
    How can the site even detect where a user is coming from? Browsers leaking this information seems like a huge privacy issue to me.
    replies(1): >>41802741 #
    robin_reala ◴[10 Oct 24 19:45 UTC] No.41802741[source]
    Referer (misspelled in the spec) has been a part of HTTP from day 1.
    replies(1): >>41802788 #
    1. ginko ◴[10 Oct 24 19:49 UTC] No.41802788[source]
    Feels crazy this isn’t disabled by default
    replies(5): >>41802839 #>>41802862 #>>41802919 #>>41802996 #>>41803993 #
    2. paraboul ◴[10 Oct 24 19:55 UTC] No.41802839[source]
    This is part of the web DNA. Pages linking pages and being aware about it. Origin can still disable it.
    3. Smar ◴[10 Oct 24 19:56 UTC] No.41802862[source]
    There is little hope to get it disabled when an ad company is running running the most popular ad platf... Erm, the world wide web browser.
    replies(1): >>41802931 #
    4. mananaysiempre ◴[10 Oct 24 20:02 UTC] No.41802919[source]
    See[1] the Referrer-Policy header, <meta name="referrer">, <a referrerpolicy> and <a rel="noreferrer">.

    But generally, webmasters have found it useful to know who caused their server to fall over^W^W^W^W^W^W is linking to their pages. This was even used as a predecessor to pingbacks once upon a time, but turned out to be too spammable (yes, even more so than pingbacks).

    After the HN operators started adding rel=noreferrer to links to the Asahi Linux website, Marcan responded[2] by excluding anyone who has the HN submit form in their browser history, which feels like a legitimate attack on the browser’s security model—I don’t know how it’d be possible to do that. (Cross-origin isolation is supposed to prevent cross-site tracking of this exact kind, and concerns about such privacy violations are why SRI has not been turned into a caching mechanism along the lines of Want-Content-Digest, and so on and so forth.) ETA: This is no longer in place, it seems.

    [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...

    [2] https://social.treehouse.systems/@marcan/110503331622393719

    replies(1): >>41803317 #
    5. jsheard ◴[10 Oct 24 20:03 UTC] No.41802931[source]
    The Referrer-Policy header lets a server tell the browser how much referrer information to pass on when following links, all the way down to nothing at all if desired. Chrome does respect that, and they also followed other browsers in changing the default to "strict-origin-when-cross-origin" a few years ago which truncates the referrer path when leaving to a different domain, so they only see the domain the visitor came from rather than the specific page like they used to. Can't really fault Google in this case.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...

    6. bigstrat2003 ◴[10 Oct 24 20:10 UTC] No.41802996[source]
    Referer does have legitimate uses. For example, back in the day people would use it to detect if someone embedded an image from their site on another site. SomethingAwful famously used to respond to any such requests with goatse, and forums I was on had very strict "don't link to SA images" rules as a result.

    I think that using referer to try to deliver manifestos to users of another site is kinda childish, but so it goes. Every tool can be put to good or bad uses.

    replies(1): >>41803155 #
    7. dylan604 ◴[10 Oct 24 20:23 UTC] No.41803155[source]
    It's only slightly less childish than the current WP drama.
    8. miki123211 ◴[10 Oct 24 20:37 UTC] No.41803317[source]
    > I don’t know how it’d be possible to do that

    It isn't, at least not in the way you think.

    Visited links have always looked different from unvisited ones, and the moment you could customize how links looked via CSS, browsers also had to implement styling for visited links specifically.

    Modern browsers put a lot of care into making the changes to those styles observable to the user, but not to Javascript.

    This is an extremely hard problem, and browsers have had a lot of security issues related to this behavior. Nowadays, you can only apply a very limited subset of CSS properties to those styles, to avoid side-channel timing attacks and such.

    This means you can display a banner to anybody who has a certain URL in their browser history, but you can't observe whether that banner actually shows up with JS or transmit that information to your server.

    replies(2): >>41803504 #>>41803791 #
    9. mananaysiempre ◴[10 Oct 24 20:55 UTC] No.41803504{3}[source]
    Ah. Ahhh[1]. I see.

      <!doctype html>
  <style>a { color: white; background-color: white; } a:visited { color: black; }</style>
  <body><a href="https://example.com/abracadabra" onclick="return false">you are a bad person</a>
    [1] https://developer.mozilla.org/en-US/docs/Web/CSS/:visited#pr...
    10. Wowfunhappy ◴[10 Oct 24 21:32 UTC] No.41803791{3}[source]
    > This means you can display a banner to anybody who has a certain URL in their browser history, but you can't observe whether that banner actually shows up with JS or transmit that information to your server.

    How do they stop you from using Canvas to see the output and send it back?

    replies(1): >>41804309 #
    11. npteljes ◴[10 Oct 24 21:56 UTC] No.41803993[source]
    There's a handy addon for Firefox called Privacy Settings that can take care of that. Explicitly adds and option to have the referers be not sent, and a quick way of re-enabling it, in case it breaks a website. Because of course that happens too.
    12. zamadatix ◴[10 Oct 24 22:40 UTC] No.41804309{4}[source]
    Canvas can't "see the output", it only sees what is drawn in it (which is not a set of HTML tags, it's JS commands).

    The screen recording/screen sharing API can be used for this but security is the reason you have to give explicit permission to the site before it can do this.

    replies(1): >>41804995 #
    13. miki123211 ◴[11 Oct 24 00:36 UTC] No.41804995{5}[source]
    IIRC, Firefox had a bug where this exact scenario was possible, I think you needed to embed the link in html embedded inside an SVG, which was displayed in the canvas, and then access the bitmap. You could e.g. make the link black if visited and white otherwise, and then the number of white versus black pixels in the bitmap would tell you whether the link was visited or not.

    There was also that asteroids game / captcha where links were white/black squares and your goal was to click all the black ones. Of course, clicking a square revealed that you knew the square was black, which meant the URL under it was in your history.

    replies(1): >>41818663 #
    14. zamadatix ◴[12 Oct 24 12:45 UTC] No.41818663{6}[source]
    If you go back far enough there weren't even protections against this sort of thing at all! E.g. you could just say a visited link style was 1px taller then measure that. The protections had to be added in after the fact (often with special case logic for what's allowed to be styled or read on :visited) once security became a major concern!