Breaks proxy caching, with privacy consequences #80
Comments
|
Aha! I found that exact problem in this site: http://www.brasil2016.gov.br/en/news/rio-2016-raises-the-bar-for-olympic-and-paralympic-sports Try it yourself:
|
|
See #81 for another way in which privacy is broken. |
|
nice catch, thanks! CC @keul |
|
Yes, in my usecase DNT header and privacy cookie were added to Varnish cache configuration. |
|
I think we must load this client side the same way we did with the WhatsApp and Telegram plugins; having to maintain this in Varnish means we'll have entries duplicated for each page displaying the widgets. |
|
@hvelarde totally agree. Client side is the way to go |
|
Seems that implementing the two-click-to-like feature I requested the other day, is about to get much more straightforward. Back to the topic: how does the page query the value of the DNT setting, in order to avoid third-party-loading the HEAD javascripts and images? |
|
@Rudd-O seems is possible (that's totally new for me): https://davidwalsh.name/detect-track-javascript Not sure how well supported this is. |
|
mostly fixed in #133. |
User 1: visit Plone with this addon using a browser(DNT=1). fronted by e.g. a Varnish server. Plugin generates viewlet with content that tracks the browser. Varnish caches page.
User 2: visit same Plone with this addon using a browser(DNT=1). Varnish serves cached page with content that tracks the browser.
In other words: caching defeats the privacy feature.
Fix: upon install, update plone.app.caching configuration to add Vary: DNT header. Alternatively, add Vary: DNT header when viewlet render is invoked (not recommended, as this would conflict with plone.app.caching).
None of these fixes are very reliable since plone.app.caching is not necessarily installed at the time of this plugin's installation, so then we have an install ordering problem.
The text was updated successfully, but these errors were encountered: