I just noticed, thanks to Privacy Badger, that hyperlinks from other websites posted to the forum can introduce their trackers to that thread.
If you have Privacy Badger installed, compare this topic I just created (no external tracker) to this one which includes a hyperlink to the Proton website: https://forums.puri.sm/t/microsoft-takes-a-refreshing-plunge-in-the-scroogle-pool/22396
It’s using a tracker from “Cloudinary.”
And it’s persisting even if I switch to other topics in the forum. (I’ve blocked it, of course.)
I think that’s the problem. There’s no way to “compare” one topic with another - because it’s persisting. I have already viewed a dozen or more topics. However now that I logged out from the forum, closed the tab, opened a new tab, and logged back in … this topic is clean.
Anyway … be careful not to include a link to an external web page on a line by itself.
The forum software handles a link on a line by itself in a special way, creating a nice box and stuff, and hauling in some kind of image relating to the link. The image that it hauled in relating to the article from Proton is hosted on “cloudinary”. Hence the problem.
Just inserting a space in front of a link on a line by itself should be enough to stop this Discourse behaviour.
That may not be enough. I tried it earlier on that post with “See hyperlinked title,” and it didn’t help. It could havejust been the latching-on, “following” behavior I described.
I think from now on, for external links I post, I will deactivate the hyperlink.
EDIT: OK, yeah, it appears to be enough to just include it with other text. I had to copy the topic url to another tab to get it to disappear after I edited the post.
As an aside, deep linking someone else’s image may not even work. Doing that may be blocked by the destination web site. So ideally Discourse would be configured for this particular scenario either not to include an image at all (I certainly wouldn’t care if there is no image) or to make a local copy of the image (ideally, scaled down if required).
Can you elaborate on how the technology you are referring to actually works? If I inspect element, or view page source, for the link in your other post… I have yet to find anywhere that Discourse is redirecting to content hosted elsewhere surrounding the link. Am I missing something?
I created a ticket for review by the sysadmin team to investigate if this is a setting in Discourse we can adjust, or if it’s a vulnerability/issue in the platform itself. Part of the “definition of done” for the issue is to follow up in this thread to provide an update.
Is this what you suggest/advise we should do from now on until maybe this can be fixed by Discourse?
Should we then also each look at all our own previous posts and edit the link by adding text into the line?
Sure be nice if Discourse stripped out javascript requirement for login!
I might actually use this forum more often if it weren’t for this.
@JCS, any chance you could investigate if there is a setting in Discource you can adjust to allow login without javascript? Or maybe Purism can create a privacy-focused Discource fork?
phpBB and other PHP-based forum software works fine without JavaScript, although I cannot imagine Purism migrating to an entirely different forum software anytime soon, or maintaining a JavaScript-free/privacy-focused Discourse fork.
I’m not expecting them to do so either. I just wanted to add to the other comment about asking for a more pleasant and safe experience here on the forums. Without javascript, lots of trackers are rendered useless and harmless. I also typically use uBlock Origin to block all 3rd party requests, which gives me a significantly better browsing experience, while incidentally blocking most trackers too.
I create a sysadmin support ticket to document this request. Like you and @FranklyFlawless have stated, the likelihood of this happening in the near future is very low, but it’s good to keep a record of the interest and rationale. I appreciate you looking out for users like yourself who wish to avoid JavaScript to have a more pleasant and safe experience for them.
Sometimes this kind of point would be better directed at Discourse themselves (or in addition to raising the point here) i.e. in the Discourse “meta” forum. I mean sure it might be an option to simplify the login by configuration so that it does not need Javascript but it might not be.
I guess it may also be helpful to give us insight into what the forum software actually does with Javascript on the login page i.e. why it is choosing to use Javascript. Would there be another way of achieving the same functionality but without using Javascript? Or would the only way be to drop the functionality (which may or may not be important functionality)?
Keep yourself logged in 24x7?
Just my 2¢ but I would prefer Purism focus their efforts on existing product development. Anyway, let’s see whether this can be achieved by configuration.
Yes. Note though this is only talking about a link to an external web page. There is no need to worry about this when linking to other Purism pages, whether on the same domain or different.
Regardless you should be using something like Privacy Badger since even if this forum gets “fixed” other forums won’t be.
In theory, yes, but I would wait to see whether this can be fixed in config - because if it can be then the change may apply retrospectively (under the right conditions, including e.g. being careful with server-side caching and e.g. being careful with client-side caching).
Note also that a single leading space is sufficient to disable this Discourse functionality (and that won’t affect the appearance in the sense that HTML ignores leading spaces).
