-
-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot access GCam port links #2397
Comments
This is probably due to the patch that reduces referrer granularity on cross-origin transitions; @uazo the preference value seems unused, is that on purpose? |
first of all, welcome back @csagan5! the flag you signal has always been present in chromium, I have inserted it only in the ui, and it manages the complete deactivation of referrers. maybe something smarter is needed, like a list of domains and the rules needed to make them work, perhaps external and automatically updated, with a message to the user and the possibility of applying them or not. |
Bromite with recent 2 updates started to block the links. It never blocked previously. May be restore that setting? Or was it intentionally for more added security? |
I have not gone anywhere?
I understand, so it works automatically because it re-uses the flag name, similar to flags and switches.
I think these sites will eventually be fixed when upstream rolls out the change to a larger percentage of users.
What is the point of introducing privacy patches if we disable them for all the cases where there is privacy infringement? The list of domains would correspond to the list of infringing sites. I am against any type of snake oil privacy/security, including this one. In some cases we can have a flag or a site setting, but remember that we have no analytics to know how much breakage is happening. The best outcome here is to wait for the feature to be rolled out or contact the site author and tell them that they will eventually have to fix it anyways. |
this particular one I think never
none, of course, but one has to think, maybe privacy-related changes should probably also be weighed against those who would like to use bromite who are not normally technical, and judges the site not working as if it is the browser that is not working.
but we could communicate this to the user, so that he does not think that it is the browser that does not work but the site that uses features, let us say, on the borderline between 'legitimate' and 'harmful'
is true, and I am beginning to miss it... also used to reading through the logs of the software I make
bah, we are neither brave nor google, who would care? we don't even know how many people is using bromite... |
Care to elaborate?
No, it should not. If you use Bromite you have to understand how it works (and how it breaks), otherwise do not use Bromite.
Can you explain how in this specific case the functionality is not infringing? This site would like to use referrers cross-origin to validate where user is coming from, and deny users downloads if the referrers do not match. This is not the W3C-suggested use for referrers and a very poor form of verification. It infringes privacy because the user has not yet visited the other origin but some information would be carried over (what is in the URL of the referer).
What is "this" here?
It is never going to be introduced in Bromite.
I did not write "contact site X saying that browser Y does not work with it", I mentioned the upstream link that explains what the privacy problem is about. That is what you should report to site authors, if you care.
All choices are arguable (as they should be); you will only see reports about the problems here, I already explained it in the past.
All reasons should be explained better in the patches' description, README and Wiki (depending on the type of information).
Compatibility with what, the entire internet? This is an open source project, it breaks stuff and fixes stuff. There is no guarantee about anything and there never will be. I have no intention to start discussions with the teams doing the specs but I am not stopping anyone else from doing that either. Once again this is a very off-topic discussion that has nothing to do with this issue, please use Discussions in the future because here it is off-topic and there it would be visible to other people not checking each single issue. |
I try. I don't think that blocking referrers to third parties will ever be the default, because all the necessary tools to block them (norel attributes, http headers, meta, document policy ecc...) are already present in the standards, if the site has the will to do so.
Of course, it is correct that the user must know the software he/she installs and uses, also because this applies to all software you install.
I don't know the use suggested by w3c, nor did I find it in the specs (https://www.w3.org/TR/referrer-policy/), can you tell me where you read them?
I realise that I have explained myself incorrectly.
yes, of course neither do I. It was just a thought.
this time it is me who does not understand. what link? who are the authors you are referring to?
I can't answer that, I'll have to think about it further
there are various ways, perhaps a comment such as 'Privacy and Security section should mention that a user agent may choose to not expose cross-origin referrer' is sufficient. I will probably give it a try.
I don't see anything OT about it, maybe poorly written, but the aim is to see if the patch could be improved |
So the patch breaks the standards? I realize my misunderstanding now: I thought that with that patch we were anticipating some change from upstream.
The best that could be done is printing a message in the JavaScript console, other similar changes from upstream do it.
https://www.w3.org/TR/referrer-policy/#user-controls
I think this passage is extraordinarily clear, while usually others are not as clear as this one; and coincidentally also covers what the current patch does. Perhaps the best we could do is have another global setting (not site setting) to control the patch behavior (this is also another misunderstanding of mine: I thought that the preference was controlling that, but it does not).
The website is https://www.celsoazevedo.com and the link would have been the upstream Chromium tracking bug (but there is none, I understand now); the authors are the authors of the website.
Too bad if they don't know that user agents can omit the referrer, we are not going to change the user agent to accommodate for that.
It is already in the standard? https://www.w3.org/TR/referrer-policy/#user-controls
The off-topic part is about:
They are very general topics and only incidentally related to this issue; we cannot discuss them properly here because otherwise we thrash the issue. |
To go back on topic, for this issue we should probably:
Why we cannot show pop-ups? Because there could be possibly tens of these pop-ups, it would quickly become comically useless. |
But then I would not be able to differentiate the behaviour according to the site. then perhaps an additional site setting is better.
is similar to the pop-up solution, the message would always be there for all sites, with the complication that the user would never see it directly from the device. a third possibility is to add a new 'open with custom' command to the popup on right-click links (long press). |
More costly to develop and maintain.
I see; then it could be logged so that it is visible via
Sites that do not follow the standard do not deserve this; the standard is clear: referrer is not guaranteed to be there. The sites are in breach, not the browser. I am against having this complex functionality for even 1 of these sites. |
This comment was marked as off-topic.
This comment was marked as off-topic.
I propose to do only this part:
@uazo shall I assign it to me or you? |
Let me get this straight, what is that flag supposed to do? |
This patch does 3 things:
(1) is a preference for the whole referrals functionality. However even with (1) enabled users cannot decide about (2) and (3); I am proposing to add another preference (or make the existing one a tri-state) that allows toggling the (2)+(3) on/off when referrals are allowed (default as it is in the current patch). |
OK, I got it. assign it to me, I'll finish what I started.
I like it better this way |
@uazo I think the issue seems to be resolved. |
Preliminary checklist
Can the bug be reproduced with corresponding Chromium version?
No
Bromite version
105.0.5195.147
Device architecture
arm64
Android version
12.1
Device model
DRG_Sprout (LOS 19.1)
Changed flags
no flags changed
Is this bug about the SystemWebView?
No
Is this bug happening in an incognito tab?
Yes
Is this bug caused by the adblocker?
No
Is this bug a crash?
No
Describe the bug
Unable to download GCam Mods from https://www.celsoazevedo.com/files/android/google-camera/.
I've heavily modified the app with flags. I assumed it might be the issue, cleared all the data, same issue. Tried the same on other devices, same issue.
Try with this link: https://www.celsoazevedo.com/files/android/google-camera/dev-bsg/f/dl109/
It doesn't download, instead the app tries to access the internal un-sharable link.
This is happening in both normal and incognito tabs.
Steps to reproduce the bug
Expected behavior
Upon clicking on the download option, the app is supposed to download the app instead of accessing the internal link which blocks downloads.
Screenshots
No response
The text was updated successfully, but these errors were encountered: