Block, unblock, block
Wednesday, April 28th, 2010 11:24 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
afunaAghhhhh okay so I've been blocked on writing in my journal for a while now. I keep wanting to post stuff and linkspam, but I get stuck trying to decide whether to crosspost or not.
Mostly what's stopping me is the Driving Revenue stuff.
Basically, LJ embedded a third-party script which checks whether they can add an affiliate id to links on your entries whether you're paid, plus or basic. Every time you hover over a link, the script sends information about the link to the third-party, and won't allow you to click through until it's received a response.
If you're on a slow computer or a slow connection, the lag time on left-clicks and right-clicks can be very noticeable
There's a lot more background information here, including how to turn it off completely (if you're lagging give the opt out a try, it helped me a lot).
I don't quite agree that the big risk is script kiddies. I think the bigger issue is that the third-party site is getting all this information, and that makes it really tempting for them to harvest this data for ad targeting.
As a paid user, I don't just want to avoid seeing ads; I want as little as possible harvestable information about me and my browsing habits being sent to unknown third parties. That's part and parcel of the no-ads deal.
The other thing about this that I don't like is that the script is being served from LiveJournal, and not from the third-party. Most third-party scripts, Google Analytics for example, are hosted on a domain owned by the third-party, making it easier to block and (importantly!) meaning that the third-party script has no access to your cookies. It may be a plus (well that means that they can't change the script out without LJ noticing), or a minus (the script gets trusted the way that any script from LJ is trusted, not treated like it's from an unknown domain).
I think that the plus is outweighed by the technique used to get the information back from the third-party: using JSONP. This is getting longer than I wanted, and I need to get back to work, so I'm skipping the long explanation. But briefly, straightforward cross-domain requests are not possible because of security concerns I touched on (very briefly) above. That means that you can't just do a request using JS from LJ to the third-party, and be able to parse the response.
JSONP works around that by using embedded script tags, which puts the response in the context of the page doing the request (meaning, the script gets trusted the way that any script from LJ is trusted, not treated like it's from an unknown domain, as above, and the response from the third-party is trusted the same way). It's useful for working around cross-domain limitations, but you need to trust the third-party site. You need to really really trust the third-party site. If the remote site chooses to insert extra values, or if it's coded badly so as to allow XSS, that leaves you on your LJ also potentially vulnerable.
The more I think about it, the less I want to put up posts with any kind of links on LJ, and that's hard, because links are the backbone of the web. How will I show you guys COOL (and DISGUSTING) stuff if I can't link you?
So, there's this Three Weeks for Dreamwidth, a celebration of DW going into open beta, which is a content-fest where you post (select) entries to only your Dreamwidth journal and not repost it anywhere else for three weeks. So far there's been a lot of amazing and positive content. I'm not officially part of it, and the fest doesn't ask for all crossposting to stop, but I feel like I need to step away in order to get past this block. I'm turning off crossposting for the next three weeks; I haven't yet decided what I'm going to do long-term.
*deep breath* If you want to say something, I've turned on screening for anonymous comments on this entry for both LJ and DW. I've also disabled IP logging for comments on LJ.
Mostly what's stopping me is the Driving Revenue stuff.
Basically, LJ embedded a third-party script which checks whether they can add an affiliate id to links on your entries whether you're paid, plus or basic. Every time you hover over a link, the script sends information about the link to the third-party, and won't allow you to click through until it's received a response.
If you're on a slow computer or a slow connection, the lag time on left-clicks and right-clicks can be very noticeable
There's a lot more background information here, including how to turn it off completely (if you're lagging give the opt out a try, it helped me a lot).
I don't quite agree that the big risk is script kiddies. I think the bigger issue is that the third-party site is getting all this information, and that makes it really tempting for them to harvest this data for ad targeting.
As a paid user, I don't just want to avoid seeing ads; I want as little as possible harvestable information about me and my browsing habits being sent to unknown third parties. That's part and parcel of the no-ads deal.
The other thing about this that I don't like is that the script is being served from LiveJournal, and not from the third-party. Most third-party scripts, Google Analytics for example, are hosted on a domain owned by the third-party, making it easier to block and (importantly!) meaning that the third-party script has no access to your cookies. It may be a plus (well that means that they can't change the script out without LJ noticing), or a minus (the script gets trusted the way that any script from LJ is trusted, not treated like it's from an unknown domain).
I think that the plus is outweighed by the technique used to get the information back from the third-party: using JSONP. This is getting longer than I wanted, and I need to get back to work, so I'm skipping the long explanation. But briefly, straightforward cross-domain requests are not possible because of security concerns I touched on (very briefly) above. That means that you can't just do a request using JS from LJ to the third-party, and be able to parse the response.
JSONP works around that by using embedded script tags, which puts the response in the context of the page doing the request (meaning, the script gets trusted the way that any script from LJ is trusted, not treated like it's from an unknown domain, as above, and the response from the third-party is trusted the same way). It's useful for working around cross-domain limitations, but you need to trust the third-party site. You need to really really trust the third-party site. If the remote site chooses to insert extra values, or if it's coded badly so as to allow XSS, that leaves you on your LJ also potentially vulnerable.
The more I think about it, the less I want to put up posts with any kind of links on LJ, and that's hard, because links are the backbone of the web. How will I show you guys COOL (and DISGUSTING) stuff if I can't link you?
So, there's this Three Weeks for Dreamwidth, a celebration of DW going into open beta, which is a content-fest where you post (select) entries to only your Dreamwidth journal and not repost it anywhere else for three weeks. So far there's been a lot of amazing and positive content. I'm not officially part of it, and the fest doesn't ask for all crossposting to stop, but I feel like I need to step away in order to get past this block. I'm turning off crossposting for the next three weeks; I haven't yet decided what I'm going to do long-term.
*deep breath* If you want to say something, I've turned on screening for anonymous comments on this entry for both LJ and DW. I've also disabled IP logging for comments on LJ.
no subject
Date: 2010-04-28 04:57 am (UTC)BAD BAD BAD.
no subject
Date: 2010-04-28 06:24 am (UTC)Hmmm, I was able to block scripts from outboundlink.net on LJ.
Of course, that resulted in me not being able to click on links, so it's not like it's a feasible thing to do...
no subject
Date: 2010-04-28 06:39 am (UTC)Okay, so apparently they now wrapped it into LJ.com? Wow, that's even worse...
And now blocking Livejournal.com means that links on site-scheme pages don't work. I am unimpressed.
no subject
Date: 2010-04-28 06:42 am (UTC)You can also do the console thingy.
no subject
Date: 2010-04-28 06:44 am (UTC)If you can't click on the links, you probably also need to make sure you're blocking the script, not just the domain.
Well, I am now blocking all scripts on Livejournal and it's unusable like that. For example, I can't click on "Login with openID" on an entry page. The link only opens if I open it in a new tab.
no subject
Date: 2010-04-28 01:17 pm (UTC)A blocking rule to try
Date: 2010-04-28 02:10 pm (UTC)Re: A blocking rule to try
Date: 2010-04-28 03:27 pm (UTC)no subject
Date: 2010-04-28 08:57 am (UTC)no subject
Date: 2010-04-28 10:38 am (UTC)Not at all -- go right ahead!
no subject
Date: 2010-04-28 05:20 pm (UTC)Well, I think I'm going to have to bite the bullet and stop posting LJ. My remaining friends will either continue letting me read or not.
no subject
Date: 2010-04-29 09:12 am (UTC)In the comments on LJ, some people were saying that the console option is not a complete fix.
I made another post over there and linked to you, Afuna.