data-saferedirecturl defeats URL stripping

[aspiers]

I see that Gmail are doing something really evil with hyperlinks within emails:

<a href="https://link.to.other.site" target="_blank" data-saferedirecturl="https://www.google.com/url?q=link.to.other.site&amp;source=gmail&amp;ust=1534942837200000&amp;usg=AFQjCNH3Pzb1Mq6zL847zzh6iqd4g1B3IA">here</a>

This is also described here:

• Rob--W/dont-track-me-google#2
• security - Why do links in gmail redirect? - Stack Overflow

I really don't want google tracking which links I click on. I'm sure Google would claim that they're doing the user a favour by hiding referrer data from the target web server, but only because they're stealing that data for themselves!

So I think it would be great if this project stripped these data-saferedirecturl links.

[aspiers]

Also worth noting that this creates the exact opposite effect of the problem described in #68: the stripped URL is shown on mouse-over, but the hijacked URL is actually used on click.

[aspiers]

@cameronrcraig commented on 22 Aug 2018, 19:43 BST:

This extension already handles these kinds of links.

google.com/url?q=https://website.com causes a 307 redirect (because of the extension) to website.com

The rule is:

{
name: 'Google Search Results',
targetParam: 'url',
patterns: [
${SCHEMA}www.google.com/url?
],
// Google uses 'ping' method sometimes.
types: ['main_frame', 'ping']
}
}

I was already aware of that rule, but it doesn't work for me in Gmail at least, most likely because the extension doesn't consider data-saferedirecturl. If you search the extension's codebase you will not find any mentions of that string at all.

EDIT: This may actually be a bug with the official version of the extension.

It definitely is, otherwise I would not have seen Gmail hijacking my links.

I've made quite a few improvements and bug fixes in my fork because I believe this was a problem that I encountered as well.

Thanks for sharing! Please could you start submitting pull requests for these changes one by one, so that we can all work together as a community on building the best possible single unified codebase? (Please don't submit 11 commits in a single PR, since that would significantly complicate and slow down the review process, due to mixing non-controversial changes with potentially controversial ones, and for other reasons.)

[newhouse]

Hi everyone, a bit to unpack here.

@aspiers: regarding the original issue filed here, the extension should handle and skip such redirects that you mention. If it is not doing it for you, then it might be a bug. One thing I noticed in your example is that you use link.to.other.site... as your redirect example. That doesn't contain a protocol (e.g. 'https://') which I think will make that example not have the redirect skipped. In my experience, Gmail will include the protocol and if you do include the protocol (...q=https://link.to.other.site...) then it works as expected.

So, when you say

it doesn't work for me in Gmail at least

can you elaborate? What happens for you and why do you think it doesn't work? Can you provide some more details about an example of when it didn't work and you thought it should? For me the extension does skip those redirects when I click on links in my Gmail, so I'm not sure what you're experiencing. I can tell by either 1) clicking on a link in gmail and then the extension's icon will indicate to me that it's skipped a redirect or 2) paste a link from a data-saferedirecturl in Gmail into a new tab and monitor the 307 redirect occur.

Also while this snippet here is accurate

extension doesn't consider data-saferedirecturl. If you search the extension's codebase you will not find any mentions of that string at all.

...it is-not / would-not be responsible for handling (or not handling) the redirects that you're talking about. The extension does not go all over your webpages and replace redirects and tracking parameters in every href, data-saferedirecturl or url-like element/property it can find (nor should it, IMO). Rather, it waits/monitors for webRequest events (triggered by clicking on links, usually) and context menu events (triggered by right-click menu items) and then will apply and rules/logic at that point. Again, the extension does not inject itself into your pages and manipulate HTML on the sites you are visiting and I don't think at this point that it should.

So, at this point I'm going to assume that the extension is working as it should and close this issue. Please feel free to open this as a bug if you still believe after having another look that something's wrong.

@cameronrcraig I would definitely welcome any pull requests for things that you think would be universally desirable for users!

[YesThatAllen]

Backing up @cameronrcraig .. I am looking for a plugin specifically to disable data-saferedirecturl links in gmail. I think they are far worse than the other tracking links this extension is designed to stifle.

I'm not in a position to help with a PR, but would be happy to support development of this feature.

EDIT: I'll just use Cameron's version until the code is pulled in to master.

Also, I'm happy to help break up PR #71 in to more manageable PRs

[YesThatAllen]

I wonder what this PR was supposed to do?

#23

What I see, when using the official branch, is that an email from github which I receive in gmail's webmail is still wrapped in a data-saferedirecturl. When I click the link, I suffer through google's link-tracking (adding an undesired hop, and tracking my actions) then land at the github issue I wanted to visit.

It's only when I'm on the github site that the URL Tracking Stripper extension claims to have helped (It hasn't) and offers to "Reload with full URL"..

(Nothing was skipped here)

[newhouse]

TLDR: It does skip Google and does not pass through its servers. Please let me know if you can show otherwise and how to reproduce it, and I will certainly investigate @YesThatAllen. This will be the last time I comment on this thread. If there still turns out to be some issue, please open another ticket as this one has gotten quite useless.

Details:
Let me see if I can put this to bed once and for all:

• As mentioned several times now, I will not go into your webpages and manipulate links as this is very invasive. Because of this, the data-saferedirecturls all exist in Gmail and wherever you encounter them - I do not change them on the webpages and if you look at the HTML they will still be there. This extension is not intended to change the URLs on the page for you, so this is expected behavior. But it also doesn't mean that it's not going to skip those redirects for you...
• When you click on one of them with this extension installed, the extension will BLOCK that request and redirect you to the target page, skipping Google's servers and having no cookies dropped or tracking occur. You may see the URL flash in your browser bar or network history, but it will have been stopped from loading via a 307 Internal Redirect.
• The following videos illustrate this behavior by navigating to a link pulled from a data-saferedirecturl first with the extension enabled, and second without it enabled:
  • With extension enabled
  • Without extension enabled

Here's an image as well.

[YesThatAllen]

Thanks for this @newhouse. Yes, I've confirmed what you said (more below).

I was seeing the google URLs in the address bar, and the rest of the comments here added to the confusion, leading me to think that the google URL was still being visited. (Github allows comments to be dismissed as "resolved" which may help future visitors.

To confirm, I set my hosts file for www.google.com to resolve to localhost, loaded the official plugin, and tried to browse using the links from gmail.
They loaded fine.

I pasted a redirect URL in an incognito window, and they failed to load. So, yes, this plugin is stifling the data-saferedirecturl links.

Very nice 👏

[aspiers]

Yeah thanks a lot @newhouse for your patience and very informative replies, and sorry for the late reply.

You may see the URL flash in your browser bar or network history

This is what confused me, and based on the above clearly I wasn't the only one. If there is a way to prevent that from appearing then it would prevent others being similarly confused in the future. But I appreciate that from a technical standpoint that might be very difficult or even impossible to achieve. Maybe instead it would be possible to briefly flash something up showing that the redirect was intercepted and skipped?

but it will have been stopped from loading via a 307 Internal Redirect.

Thanks for the image showing this (especially considering I don't have Flash installed so can't view the videos). How did you manage to get that request and redirect response appearing in the Network tab of Chrome's inspector? When I clicked a link in my gmail which has this redirect, I only see a single HTTP POST to https://mail.google.com/sync/u/0/i/s?hl=en-GB&c=32 which gets a 200 response.

Just one other loose end to tie up:

@newhouse commented on 28 Aug 2018, 15:23 BST:

One thing I noticed in your example is that you use link.to.other.site... as your redirect example. That doesn't contain a protocol (e.g. 'https://') which I think will make that example not have the redirect skipped. In my experience, Gmail will include the protocol and if you do include the protocol (...q=https://link.to.other.site...) then it works as expected.

I'm not sure but I suspect I accidentally removed the https:// protocol when I anonymising the target URL. At least, all the gmail redirects I'm looking at now do include the protocol (...q=https://link.to.other.site...) like you say.

Thanks again!

[Alocyte]

View Re-login and retrieve your pending messages.
Its a real problem in emails used by spammers.
appears to refer techagilist site but hits seamus-fox.com

[gtabroker]

If a email mailing list sent me a link but I dont want them to know I clicked the link, is there anyway to find where it redirects to without them tracking my click?