Comment

Comment on Phone home tracking image in DocuSeal, and how to remove it

just_another_person@lemmy.world ⁨4⁩ ⁨months⁩ ago

Friend, please listen to reason.

The “code” you linked to is not functional code of any sort. Not to be nitpicky, it’s just an HTML image tag, so its Markup at best. All you did was stop the loading of an SVG image. The fact that they source it from their own domain tells you everything: they have a script that runs to check the current number of stars, then generates this image that reflects. It’s really standard.

All your other points you’re making because you do not have much experience in the software realm, which I’m not saying to be dismissive or anything like at all, I’m simply illustrating that all the points you’re questioning or mentioning are 100% standard.

you don’t make a fork for three lines of code and ask others to “check it out”. If anything, just point out the issue and post a diff or a script to fix it. Simple.
They have a pro version, and are using images they generate in a template viewed by users to promote its popularity and try to sell pro. They’re running a business out of this. Not every FOSS project is non-profit, and these people are simply trying to sell a product AS WELL as keep it open source for others to enjoy, like yourself. Feel lucky to have the privilege they are letting you use it for free.
The term “phoning home” as you’re trying to use it, is wrong. You’re implying that it is functionally doing something unexpected. It is not. It is sourcing an image in HTML. The suspicious type of phoning home is code that executes locally and pulls down other functional bits of code that alter the way the software APPEARS to be used. It’s a way of obfuscating something shady, like a virus, or malware. This is not that kind of code.
If your concern is simply that the code you’ve run is sourcing an image from somewhere, I can only imagine how upset you’ll be to learn that software repos of this size are pulling things from dozens, if not hundreds of places. This project pulls from rubygems, yarnpkgs, and the dreaded example.com.
Lastly, the reason that team responded to you in that manner was more that they were taken aback. Like “WTF is this person talking about? I don’t get it.” Realize that they were nice enough to respond, where most project maintainers would just ignore or close the issue.

Also, you might want to freak out about the social badges being sourced in this as well.

source

Sort:hotnew top

coffee_chum@lemmy.ml ⁨4⁩ ⁨months⁩ ago
Just to play devils advocate for a minute- Loading from their own domain means they can actually garner quite a bit of information from just the serving of the svg:

date and time of access

IP (country, state, region, etc)

Potential for SVG xss attack if hoster doesn’t clamp down their CSP settings

Date/time/IP are good enough for getting pretty good estimates of who all uses their software. Doesn’t matter if they are or aren’t using that data- it is being sent to them on their own accord and terms. The public has no way of knowing.

And this is all perfectly acceptable, as long as you do one of the following:

Prominent notice to user that tracking is enabled by default, and it can be disabled by doing X, Y, or Z. State the kind of tracking information collected and maybe even say logs are kept in memory or dumped after X days.

Allow for opt-in tracking. This one’s pretty straightforward.

All of this doesn’t really matter if the dev isn’t willing to change anything about the remote image.

But a fork?? Yeah, totally unnecessary. You can take easily care of this at the reverse proxy layer by preventing the svg (or anything else for that matter) from being served. Just serve a 404 or something instead or do a regex replace and remove it altogether from the page prior to serving.
source
neko@sh.itjust.works ⁨4⁩ ⁨months⁩ ago
Loading external images will reveal to the site where it’s loaded from at least these things:

User’s IP

Useragent string

Referrer

Also it can set third-party cookies which can be used to track specific user.

I don’t know if this project processes any of that data, but outside images can be used for tracking purposes.

At least it would be a good idea will be to limit some of this things for that img tag by setting some attributes that prevent referrer and cookies from being sent.
source
- just_another_person@lemmy.world ⁨4⁩ ⁨months⁩ ago
  AGAIN.
  
  This is not “phoning home” as claimed. It is not a SECURITY RISK as claimed. It is a privacy want/complaint/nag at the very VERY least. THIS IS ALSO NOT A PRIVACY FOCUSED PROJECT.
  
  Y’all need to get better hobbies, seriously.
  
  source