please add destinyitemmanager.com to yellowlist

[jakibbe]

This site is an inventory manager for a popular video game, Destiny 2. Users need to be able to login to this site through the game developers site (bungie.net). Site users often think that destinyitemmanager.com is broken since Privacy Badger blocks access. Please consider adding destinyitemmanager.com to your yellowlist. Thanks!

[ghostwords]

Hello! This may also be one of those cases where we have to teach Privacy Badger that several seemingly distinct domains actually belong to the same entity. We call these domains multi-domain first parties, or MDFP for short.

If you have access to an affected Privacy Badger, could you run the following script in that Badger's background page console and share what it prints out?

(function () {
  const STR = "destinyitemmanager";
  console.log("**** ACTION_MAP for", STR);
  _.each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => {
    if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2));
  });
  console.log("**** SNITCH_MAP for", STR);
  _.each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => {
    if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2));
  });
}());

To get to the background page console in Chrome, visit chrome://extensions, make sure "Developer mode" is checked, click on the "background page" link in Privacy Badger's row, and select the Console tab.

In Firefox, visit about:debugging, enable add-on debugging, click Debug next to Privacy Badger, click the OK button on the popup warning about remote debugging, and enter the above script into the console after the >>.

[ghostwords]

One more:

(function () {
  const STR = "bungie.net";
  console.log("**** ACTION_MAP for", STR);
  _.each(badger.storage.getBadgerStorageObject('action_map').getItemClones(), (obj, domain) => {
    if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(obj, null, 2));
  });
  console.log("**** SNITCH_MAP for", STR);
  _.each(badger.storage.getBadgerStorageObject('snitch_map').getItemClones(), (sites, domain) => {
    if (domain.indexOf(STR) != -1) console.log(domain, JSON.stringify(sites, null, 2));
  });
}());

[SunburnedGoose]

I'm swinging by from @Thisisdim on Twitter. Our users can report that PrivacyBadger is blocking downloads of 3rd party content from Google, and Bungie.net. Here's an example:

https://twitter.com/RickCasey/status/1001678558136291329
https://twitter.com/RickCasey/status/987508501856518144

I tried it myself today and it didn't block on the first load. I'll keep using the extension and see if it triggers and blocks Bungie.net and Google for me.

[bcyphers]

I visited DIM, and PB does identify bungie.net as a potential tracker. I haven't visited any other domains that include Bungie as a third party, so it's not blocked for me. This may be related to #1545.

Can you check if dragging the "bungie.net" slider to cookieblock (yellow) fixes the issue?

[ghostwords]

I'm guessing this is a bungie.net OAuth issue and as such falls under #137.

If Bungie doesn't actually track users on their authentication service domains, Bungie can fix this on their end by posting EFF's Do Not Track policy on each authentication domain. This will tell Privacy Badger to always allow loading of resources from those domains.

[ghostwords]

@jakibbe Does moving the slider for all bungie.net domains to "yellow" resolve the issue?

[ghostwords]

Error report counts by page domain and exact blocked bungie.net subdomain:

+-----------------------------+----------------+-------+
| fqdn                        | blocked_fqdn   | count |
+-----------------------------+----------------+-------+
| app.destinyitemmanager.com  | www.bungie.net |    13 |
| db.destinytracker.com       | www.bungie.net |     5 |
| destinysets.com             | www.bungie.net |     3 |
| beta.destinyitemmanager.com | www.bungie.net |     2 |
| destinytracker.com          | www.bungie.net |     2 |
| destinysets.com             | bungie.net     |     1 |
| destinytracker.com          | bungie.net     |     1 |
| www.destinylfg.net          | www.bungie.net |     1 |
| www.destinythegame.com      | www.bungie.net |     1 |
+-----------------------------+----------------+-------+

[dcaslin]

Just got a user report today that https://www.d2checklist.com/ is having calls back to the Bungie.net API blocked (first block is a legit ad/tracking block; second block is the API call that shouldn't be blocked)

[ghostwords]

@dcaslin Does moving the slider for all bungie.net domains to "yellow" and reloading the site resolve the issue?

[dcaslin]

Unfortunately I wasn't able to reproduce the problem myself.

I was about to add in some logic to my code that detects status code zero and says "Do you perhaps have Privacy Badger installed?" but figured I'd check with you all first to see if you could just whitelist bungie.net globally since it's been a recurring issue with 3rd party Bungie sites.

[ghostwords]

How to get bungie.net blocked:

1. Visit https://www.d2checklist.com/ (this sets two cookies)
2. Visit https://destinysets.com/
3. Visit http://www.destinylfg.net/

Two bungie.net domains should now be set to "red" (blocked) under the Tracking Domains tab of Privacy Badger's options. Does sliding bungie.net to "yellow" and reloading your site fix the problem?

[dcaslin]

Thanks for the tips! Yes that was able to simulate it and moving back to yellow fixed things. I'll update my warning to tell folks to slide the site to yellow or green. (And now I see why it's getting flagged, it's a shared host that multiple sites are calling back to).

I suppose privacy badger doesn't have an option to default whitelist a site like bungie.net that's going to tend to look like a tracker in terms of behavior?

[ghostwords]

We can put bungie.net on our "yellowlist", which will instruct all Badgers to set bungie.net domains to "yellow", which will allow content to load but block cookies. I'll do this tomorrow morning.

[ghostwords]

Yellowlisting will not fix authenticating through bungie.net though (#2056 (comment)), if that's another problem our users run into. The issue for fixing authentication flows is #137.

[ghostwords]

I just added "bungie.net" to Privacy Badger's yellowlist.

You should see this update get applied to your Badger within the next day. You can also get it right away by restarting your browser.