W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

tainted uris and tracking Re: "cross-site"

From: Karl Dubost <karld@opera.com>
Date: Fri, 18 Nov 2011 09:29:54 -0500
Message-Id: <CC50703A-7E36-4957-8C2C-49A5FC09B1B0@opera.com>
Cc: <public-tracking@w3.org>
To: Bjoern Hoehrmann <derhoermi@gmx.net>

Le 18 nov. 2011 à 01:51, Bjoern Hoehrmann a écrit :
>> The way http://stats.example.com/blah might know about it is because of
>> 
>> * sessionId in URIs - evil, bad architectural design
>> * cookies or other local storage mechanisms
>> * tainted uris with parameters and or hash signs
>> * Browser fingerprinting
> 
> If I understand you correctly, I believe the third option is used on
> http://validator.w3.org/ to betray details of your visit to "flattr".

On http://validator.w3.org/, when accessing.

The flattr toolbox is generated by this script on W3C site
http://www.w3.org/QA/Tools/don_prog.js

This script generates another call to 
http://api.flattr.com/js/0.6/load.js?mode=auto

which itself generates markup an iframe from
http://api.flattr.com/button/view
calling things from flattr.com
and setting a sessionid cookie with no Expires, which means it lasts only the time of the session
for example, PHPSESSID le0eq6055l8lnes50to1old5e2


This iframe contains a few things including the
	document.domain = 'flattr.com';
and indeed tainted uris such as 
http://api.flattr.com/button/click/e1dcb079d564823ab142b1a0f8962e04

Reloading the frame gives another tainted URIs
http://api.flattr.com/button/click/89eec9a61cab8ab66eeb7a6a172f2ea6

I'm not sure what is the purpose given that the number seems to be randomly generated. I guess it asssociates the sessionid and the tainted URIs to compute the rebound rate (aka the percentage of users actually clicking it).

This specific tainted URI seems to be "safe". Now it would be entirely possible to create a tainted URI constructed from the cookie itself and track the user each time is going back to the primary Web site.

Another thing to notice. W3C would not know programmatically if the user is tracked or not, because it is an iframe, in case flattr would change its policy. The tainted URIs are not created by W3C either and the cookies are not in the W3C domain but flattr.com.

It is why I try to understand how that would be working on all sides with a DNT:1

* user
* browser
* 1st party (here W3C)
* 3rd party (flattr.com)

I also do not have a flattr account so I do not know if flattr has a more "aggressive" behavior in case you do. The privacy policy seems to indicate that it is an opt-in for users to disclose that information. http://flattr.com/privacy

-- 
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software
Received on Friday, 18 November 2011 14:30:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC