I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I’m missing something :-)
It would be interesting to see just how much info is shared when lemmy requests the image. If there is [potentially] sensitive info being shared, the devs might be interested in working on it too (I have no idea how to check such a thing, this comment is just so I can find the post later when more people have shared their wisdom on it)
None (by Lemmy), as Lemmy doesn’t actually request the image (that would be proxying). Your browser requests the image directly by URL. Lemmy, technically, doesn’t even know an image exists. It just provides the HTML and lets your browser do the work.
![An external image showing your user-agent and the total "hit count"](https://trilinder.pythonanywhere.com/image.jpg)
I get the same result when I browse directly to the link.
So, if OP links a malcious website we have a problem … (?).
Not really that huge of a problem. When making requests you also usually send a header which includes the user agent.
The program just logs how many times the image has been requested and it reads the user agent data. No Javascript is actually executed.
Well it might be possible to have a XSS somehow but I haven’t really done much research into this possibility.
In general it’s a pretty standard way of handling embedded images. Email does this too. That’s how you have these services that can check if someone read a mail
okay so I make a test here, with this : ![www.example.com](http://www.example.com/)
I believe this web page doesn’t load automatically.
FWi
The domain names example.com, example.net and example.org are second-level domain names in the Domain Name System of the Internet. They are reserved by the Internet Assigned Numbers Authority (IANA) at the direction of the Internet Engineering Task Force (IETF) as special-use domain names for documentation purposes. (…wikipedia)
Yup. And to add, your browser will send things like:
Your IP address. Technically this is sent by the OS doing networking and is unavoidable. At best, a VPN can hide this, because the VPN sits in the middle.
Various basic request headers, which most notably contains user agent (identifies browser) and language headers, both which you can fake if you want to.
Cookies for that domain (if you have any). Those can track you across multiple requests and thus build up a profile of you.
Nice example!
I think proxying everything through lemmy would have a pretty big bandwidth/scalability impact. I expect the lemmy clients dont send any unique user info on these image requests so not sure how useful it would be as a spy pixel? Maybe I’m missing something :-)
It would be interesting to see just how much info is shared when lemmy requests the image. If there is [potentially] sensitive info being shared, the devs might be interested in working on it too (I have no idea how to check such a thing, this comment is just so I can find the post later when more people have shared their wisdom on it)
None (by Lemmy), as Lemmy doesn’t actually request the image (that would be proxying). Your browser requests the image directly by URL. Lemmy, technically, doesn’t even know an image exists. It just provides the HTML and lets your browser do the work.
Exactly. The text of this post is simply :
![An external image showing your user-agent and the total "hit count"](https://trilinder.pythonanywhere.com/image.jpg)
I get the same result when I browse directly to the link.
So, if OP links a malcious website we have a problem … (?).
Oh dangit, it’s simpler than I thought. So the only data being sent is…just whatever is sent in your average GET request.
Yes. It’s also a pretty standard way of serving images. A lot of Email clients do that too.
That’s also how these services that show you when a email is read work.
Not really that huge of a problem. When making requests you also usually send a header which includes the user agent.
The program just logs how many times the image has been requested and it reads the user agent data. No Javascript is actually executed.
Well it might be possible to have a XSS somehow but I haven’t really done much research into this possibility.
In general it’s a pretty standard way of handling embedded images. Email does this too. That’s how you have these services that can check if someone read a mail
okay so I make a test here, with this :
![www.example.com](http://www.example.com/)
I believe this web page doesn’t load automatically.
FWi
The domain names
example.com
,example.net
andexample.org
are second-level domain names in the Domain Name System of the Internet. They are reserved by the Internet Assigned Numbers Authority (IANA) at the direction of the Internet Engineering Task Force (IETF) as special-use domain names for documentation purposes. (…wikipedia)Yup. And to add, your browser will send things like:
Your IP address. Technically this is sent by the OS doing networking and is unavoidable. At best, a VPN can hide this, because the VPN sits in the middle.
Various basic request headers, which most notably contains user agent (identifies browser) and language headers, both which you can fake if you want to.
Cookies for that domain (if you have any). Those can track you across multiple requests and thus build up a profile of you.
That’s why you should use a native app, which won’t send any of that identifying info (except for IP but there’s nothing you can do on that)