Posts with hyperlinks to other sites can import trackers to the forums?!


I just noticed, thanks to Privacy Badger, that hyperlinks from other websites posted to the forum can introduce their trackers to that thread.

If you have Privacy Badger installed, compare this topic I just created (no external tracker) to this one which includes a hyperlink to the Proton website:

It’s using a tracker from “Cloudinary.”

And it’s persisting even if I switch to other topics in the forum. (I’ve blocked it, of course.)


I have Privacy Badger installed. It is reporting that tracker on this topic (as well as on the other one).

1 Like

I think that’s the problem. There’s no way to “compare” one topic with another - because it’s persisting. I have already viewed a dozen or more topics. However now that I logged out from the forum, closed the tab, opened a new tab, and logged back in … this topic is clean.

1 Like

Right. It followed you back here from the other topic.

The way to get rid of it is to open this topic in a separate tab and also close this tab.

1 Like

Anyway … be careful not to include a link to an external web page on a line by itself.

The forum software handles a link on a line by itself in a special way, creating a nice box and stuff, and hauling in some kind of image relating to the link. The image that it hauled in relating to the article from Proton is hosted on “cloudinary”. Hence the problem.

Just inserting a space in front of a link on a line by itself should be enough to stop this Discourse behaviour.


That may not be enough. I tried it earlier on that post with “See hyperlinked title,” and it didn’t help. It could havejust been the latching-on, “following” behavior I described.

I think from now on, for external links I post, I will deactivate the hyperlink.

EDIT: OK, yeah, it appears to be enough to just include it with other text. I had to copy the topic url to another tab to get it to disappear after I edited the post.


See that seems to have fixed it now!

I don’t think you need to deactivate the hyperlink (which would create a painful UX).

I think this is a good pickup though(!) and that Purism should look into their Discourse config. (I have no idea whether this is fixable by config.)

@JCS ?

As an aside, deep linking someone else’s image may not even work. Doing that may be blocked by the destination web site. So ideally Discourse would be configured for this particular scenario either not to include an image at all (I certainly wouldn’t care if there is no image) or to make a local copy of the image (ideally, scaled down if required).


Can you elaborate on how the technology you are referring to actually works? If I inspect element, or view page source, for the link in your other post… I have yet to find anywhere that Discourse is redirecting to content hosted elsewhere surrounding the link. Am I missing something?

Which “you” is that? Me? @‌amarok?

Probably that @‌amarok fixed his post.

Given that I think we have at least got to the bottom of the problem, I’ll post the same link here and make the problem come back.

Now look at this topic.

1 Like

Sure be nice if Discourse stripped out trackers!


I created a ticket for review by the sysadmin team to investigate if this is a setting in Discourse we can adjust, or if it’s a vulnerability/issue in the platform itself. Part of the “definition of done” for the issue is to follow up in this thread to provide an update.


Is this what you suggest/advise we should do from now on until maybe this can be fixed by Discourse?
Should we then also each look at all our own previous posts and edit the link by adding text into the line?

1 Like

Sure be nice if Discourse stripped out javascript requirement for login!

I might actually use this forum more often if it weren’t for this.

@JCS, any chance you could investigate if there is a setting in Discource you can adjust to allow login without javascript? Or maybe Purism can create a privacy-focused Discource fork?


phpBB and other PHP-based forum software works fine without JavaScript, although I cannot imagine Purism migrating to an entirely different forum software anytime soon, or maintaining a JavaScript-free/privacy-focused Discourse fork.

1 Like

I’m not expecting them to do so either. I just wanted to add to the other comment about asking for a more pleasant and safe experience here on the forums. Without javascript, lots of trackers are rendered useless and harmless. I also typically use uBlock Origin to block all 3rd party requests, which gives me a significantly better browsing experience, while incidentally blocking most trackers too.

1 Like

I create a sysadmin support ticket to document this request. Like you and @FranklyFlawless have stated, the likelihood of this happening in the near future is very low, but it’s good to keep a record of the interest and rationale. I appreciate you looking out for users like yourself who wish to avoid JavaScript to have a more pleasant and safe experience for them.


Sometimes this kind of point would be better directed at Discourse themselves (or in addition to raising the point here) i.e. in the Discourse “meta” forum. I mean sure it might be an option to simplify the login by configuration so that it does not need Javascript but it might not be.

I guess it may also be helpful to give us insight into what the forum software actually does with Javascript on the login page i.e. why it is choosing to use Javascript. Would there be another way of achieving the same functionality but without using Javascript? Or would the only way be to drop the functionality (which may or may not be important functionality)?

Keep yourself logged in 24x7? :wink:

Just my 2¢ but I would prefer Purism focus their efforts on existing product development. Anyway, let’s see whether this can be achieved by configuration.

Yes. Note though this is only talking about a link to an external web page. There is no need to worry about this when linking to other Purism pages, whether on the same domain or different.

Regardless you should be using something like Privacy Badger since even if this forum gets “fixed” other forums won’t be.

In theory, yes, but I would wait to see whether this can be fixed in config - because if it can be then the change may apply retrospectively (under the right conditions, including e.g. being careful with server-side caching and e.g. being careful with client-side caching).

Note also that a single leading space is sufficient to disable this Discourse functionality (and that won’t affect the appearance in the sense that HTML ignores leading spaces).