github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4465] [Website] remove trackers and embeds and make the site legal in the EU #2674

New issue
Closed
opened 2026-05-05 09:20:11 -06:00 by gitea-mirror · 18 comments
gitea-mirror commented 2026-05-05 09:20:11 -06:00
Owner
Copy link

Originally created by @D3V1LC0D3R on GitHub (Aug 10, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4465

Bug and expected behavior
When opening your webpage following trackers are loaded:

  • pubmine.com
  • stats.wp.com
  • google-analytics.com
  • graph.facebook.com
  • youtube.com

expected behaviour: ask before you load thirdparty resources or disable them completely

Reproduce
Steps to reproduce the behavior:

  1. open your webpage

Additional context
i hope this was not intentional as you're literally breaking european law (GDPR)

Checklist

Originally created by @D3V1LC0D3R on GitHub (Aug 10, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4465 **Bug and expected behavior** When opening your webpage following trackers are loaded: - pubmine.com - stats.wp.com - google-analytics.com - graph.facebook.com - youtube.com expected behaviour: ask before you load thirdparty resources or disable them completely **Reproduce** Steps to reproduce the behavior: 1. open your webpage **Additional context** i hope this was not intentional as you're literally breaking european law (GDPR) **Checklist** - [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
gitea-mirror commented 2026-05-05 09:20:15 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 10, 2021):

@D3V1LC0D3R commented 12 hours ago:

Bug and expected behavior

When opening your webpage following trackers are loaded:

  • pubmine.com
  • stats.wp.com
  • google-analytics.com
  • graph.facebook.com
  • youtube.com

expected behaviour: ask before you load thirdparty resources or disable them
completely

Reproduce

Steps to reproduce the behavior:

  1. open your webpage

Additional context

i hope this was not intentional as you're literally breaking european law
(GDPR)

Checklist

+1 to completely removing the following:

  • pubmine.com
  • stats.wp.com
  • google-analytics.com
  • graph.facebook.com

In the case of third-party embeds that require JavaScript (such as YouTube's),
I would go with one of the following:

  1. Make it a thumbnail which loads the embed only after clicking it (a bit more
    work)
  2. Make it a thumbnail with a link to the content (easier to implement)

One working example of the former that comes to mind is how GamingOnLinux does
it. For example, see this recent article:

https://www.gamingonlinux.com/2021/08/impressive-free-and-open-source-rts-0-ad-alpha-25-is-out-now

It contains the following at the very end:

(video thumbnail)

YouTube videos require cookies, you must accept their cookies to view.
View cookie preferences.

(Accept Cookies & Show) (Direct Link)

Other than having an event on the "Accept Cookies & Show" button, it's all
plain HTML.

I don't know much about WordPress and I don't know how straightforward this
would be to implement in it, but at least in pure HTML it does not appear to be
too complicated.

<!-- gh-comment-id:896369942 --> @kmk3 commented on GitHub (Aug 10, 2021): @D3V1LC0D3R commented [12 hours ago](https://github.com/netblue30/firejail/issues/4465#issue-964864890): > **Bug and expected behavior** > > When opening your webpage following trackers are loaded: > > * pubmine.com > * stats.wp.com > * google-analytics.com > * graph.facebook.com > * youtube.com > > expected behaviour: ask before you load thirdparty resources or disable them > completely > > **Reproduce** > > Steps to reproduce the behavior: > > 1. open your webpage > > **Additional context** > > i hope this was not intentional as you're literally breaking european law > (GDPR) > > **Checklist** > > * [x] This is not a question. Questions should be asked in > https://github.com/netblue30/firejail/discussions. +1 to completely removing the following: > * pubmine.com > * stats.wp.com > * google-analytics.com > * graph.facebook.com In the case of third-party embeds that require JavaScript (such as YouTube's), I would go with one of the following: 1. Make it a thumbnail which loads the embed only after clicking it (a bit more work) 2. Make it a thumbnail with a link to the content (easier to implement) One working example of the former that comes to mind is how GamingOnLinux does it. For example, see this recent article: <https://www.gamingonlinux.com/2021/08/impressive-free-and-open-source-rts-0-ad-alpha-25-is-out-now> It contains the following at the very end: > (video thumbnail) > > YouTube videos require cookies, you must accept their cookies to view. > [View cookie preferences](https://www.gamingonlinux.com/index.php?module=cookie_prefs). > > (Accept Cookies & Show) ([Direct Link](https://www.youtube.com/watch?v=D3vxXZygHIk)) Other than having an `event` on the "Accept Cookies & Show" button, it's all plain HTML. I don't know much about WordPress and I don't know how straightforward this would be to implement in it, but at least in pure HTML it does not appear to be too complicated.
gitea-mirror commented 2026-05-05 09:20:15 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Aug 10, 2021):

@rusty-snake 's website rewrite solves this afaik.

<!-- gh-comment-id:896377788 --> @SkewedZeppelin commented on GitHub (Aug 10, 2021): @rusty-snake 's website rewrite solves this afaik.
gitea-mirror commented 2026-05-05 09:20:17 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 11, 2021):

@SkewedZeppelin commented 38 minutes ago:

@rusty-snake 's website rewrite solves this afaik.

Yes, the rewrite does not appear to be affected by this, but it's still WIP
AFAIK. Here's a link for future reference:

https://rusty-snake.github.io/firejail/

So while the wordpress site is considered the official/canonical one (which I
assume will be the case for a while), I think that at least removing the
aforementioned trackers would be a big improvement and also potentially easy to
do.

<!-- gh-comment-id:896392823 --> @kmk3 commented on GitHub (Aug 11, 2021): @SkewedZeppelin commented [38 minutes ago](https://github.com/netblue30/firejail/issues/4465#issuecomment-896377788): > @rusty-snake 's website rewrite solves this afaik. Yes, the rewrite does not appear to be affected by this, but it's still WIP AFAIK. Here's a link for future reference: <https://rusty-snake.github.io/firejail/> So while the wordpress site is considered the official/canonical one (which I assume will be the case for a while), I think that at least removing the aforementioned trackers would be a big improvement and also potentially easy to do.
gitea-mirror commented 2026-05-05 09:20:17 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 11, 2021):

https://rusty-snake.github.io/firejail/

Links to issues related to the rewrite for cross-reference:

<!-- gh-comment-id:896448989 --> @kmk3 commented on GitHub (Aug 11, 2021): > https://rusty-snake.github.io/firejail/ Links to issues related to the rewrite for cross-reference: * <https://github.com/netblue30/firejail/issues/2713> * <https://github.com/netblue30/firejail/issues/2729>
gitea-mirror commented 2026-05-05 09:20:18 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 11, 2021):

@rusty-snake 's website rewrite solves this afaik.

👍 The only third-partys are fonts.googleapis.com which can be removed and youtube.com which can be made click2play+youtube-nocookie.com or changed to first-party or peertube if we want.

<!-- gh-comment-id:896521527 --> @rusty-snake commented on GitHub (Aug 11, 2021): > @rusty-snake 's website rewrite solves this afaik. :+1: The only third-partys are fonts.googleapis.com which can be removed and youtube.com which can be made click2play+youtube-nocookie.com or changed to first-party or peertube if we want.
gitea-mirror commented 2026-05-05 09:20:18 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Aug 11, 2021):

ask before you load thirdparty resources or disable them completely

I don't think GDPR works like this at all, your interpretation would probably make most Wordpress pages or those which embed youtube videos sites illegal. For example, German Wordpress (https://wordpress.com/de/) links also to stats.wp.com and uses Google APIs and I think German interpretation of GDPR is stricter than some other EU countries. Can you point to legal analysis where third party resources in frame of GDPR are discussed?

Having said that, removing trackers and/or switching away from Wordpress makes sense.

<!-- gh-comment-id:896579031 --> @topimiettinen commented on GitHub (Aug 11, 2021): > ask before you load thirdparty resources or disable them completely I don't think GDPR works like this at all, your interpretation would probably make most Wordpress pages or those which embed youtube videos sites illegal. For example, German Wordpress (https://wordpress.com/de/) links also to stats.wp.com and uses Google APIs and I think German interpretation of GDPR is stricter than some other EU countries. Can you point to legal analysis where third party resources in frame of GDPR are discussed? Having said that, removing trackers and/or switching away from Wordpress makes sense.
gitea-mirror commented 2026-05-05 09:20:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 11, 2021):

Even the website of the "Bundesbeauftragter für den Datenschutz und die Informationsfreiheit" (en: Federal Commissioner for Data Protection and Freedom of Information; https://www.bfdi.bund.de) includes piwik.itzbund.de. Maybe because of a legitimate interests or because it does not collect personally identifiable information (PII). IDK but that are the two relevant terms in the GDPR AFAIK. (IANAL)

ask before you load thirdparty resources or disable them completely

I don't think GDPR works like this at all,

Not sure if @D3V1LC0D3R mean that referring to the GDPR or as a privacy best practice.
Anyway the only third-parties that are "necessary" are

  • wp.com (the "wordpress CDN")
  • gravatar.com
  • youtube.com (maybe change this to youtube-nocookie.com)

those which embed youtube videos sites illegal

(site rant) Had anyone said copyright?
You did what? You linked to a yt video which includes a illegal copied meme for 2s at a halfscreen?!

<!-- gh-comment-id:896622808 --> @rusty-snake commented on GitHub (Aug 11, 2021): Even the website of the "Bundesbeauftragter für den Datenschutz und die Informationsfreiheit" (en: Federal Commissioner for Data Protection and Freedom of Information; https://www.bfdi.bund.de) includes `piwik.itzbund.de`. Maybe because of a legitimate interests or because it does not collect personally identifiable information (PII). IDK but that are the two relevant terms in the GDPR AFAIK. (IANAL) > > ask before you load thirdparty resources or disable them completely > > I don't think GDPR works like this at all, Not sure if @D3V1LC0D3R mean that referring to the GDPR or as a privacy best practice. Anyway the only third-parties that are "necessary" are - wp.com (the "wordpress CDN") - gravatar.com - youtube.com (maybe change this to youtube-nocookie.com) > those which embed youtube videos sites illegal (site rant) Had anyone said copyright? You did what? You linked to a yt video which includes a illegal copied meme for 2s at a halfscreen?!
gitea-mirror commented 2026-05-05 09:20:19 -06:00
Author
Owner
Copy link

@D3V1LC0D3R commented on GitHub (Aug 11, 2021):

ask before you load thirdparty resources or disable them completely

I don't think GDPR works like this at all, your interpretation would probably make most Wordpress pages or those which embed youtube videos sites illegal. For example, German Wordpress (https://wordpress.com/de/) links also to stats.wp.com and uses Google APIs and I think German interpretation of GDPR is stricter than some other EU countries. Can you point to legal analysis where third party resources in frame of GDPR are discussed?

Having said that, removing trackers and/or switching away from Wordpress makes sense.

to my knowledge it is illegal in germany: https://usercentrics.com/knowledge-hub/non-compliant-cookie-banner/

<!-- gh-comment-id:896903605 --> @D3V1LC0D3R commented on GitHub (Aug 11, 2021): > > ask before you load thirdparty resources or disable them completely > > I don't think GDPR works like this at all, your interpretation would probably make most Wordpress pages or those which embed youtube videos sites illegal. For example, German Wordpress (https://wordpress.com/de/) links also to stats.wp.com and uses Google APIs and I think German interpretation of GDPR is stricter than some other EU countries. Can you point to legal analysis where third party resources in frame of GDPR are discussed? > > Having said that, removing trackers and/or switching away from Wordpress makes sense. to my knowledge it is illegal in germany: https://usercentrics.com/knowledge-hub/non-compliant-cookie-banner/
gitea-mirror commented 2026-05-05 09:20:20 -06:00
Author
Owner
Copy link

@D3V1LC0D3R commented on GitHub (Aug 11, 2021):

image
this is illegal, as the german court considered this as not a legal consent.
source: https://www.datenschutzerklaerung.info/cookie-consent-tools-lg-rostock/

EDIT: image source: https://www.finch.com/blog/cookie-consent-tools-and-nudging/

<!-- gh-comment-id:896905367 --> @D3V1LC0D3R commented on GitHub (Aug 11, 2021): ![image](https://user-images.githubusercontent.com/84460014/129053931-f322943d-6fa2-480f-b381-5565cedd2ee1.png) this is illegal, as the german court considered this as not a legal consent. source: https://www.datenschutzerklaerung.info/cookie-consent-tools-lg-rostock/ EDIT: image source: https://www.finch.com/blog/cookie-consent-tools-and-nudging/
gitea-mirror commented 2026-05-05 09:20:20 -06:00
Author
Owner
Copy link

@D3V1LC0D3R commented on GitHub (Aug 11, 2021):

as a matter of fact github uses illegal data collection practices as well (they have an eventlogger and a browser fingerprinter without any consent)

<!-- gh-comment-id:896906730 --> @D3V1LC0D3R commented on GitHub (Aug 11, 2021): as a matter of fact github uses illegal data collection practices as well (they have an eventlogger and a browser fingerprinter without any consent)
gitea-mirror commented 2026-05-05 09:20:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 11, 2021):

Well if you have a GH account you accepted GH's privacy statement, but if not ...

<!-- gh-comment-id:896908724 --> @rusty-snake commented on GitHub (Aug 11, 2021): Well if you have a GH account you accepted GH's privacy statement, but if not ...
gitea-mirror commented 2026-05-05 09:20:21 -06:00
Author
Owner
Copy link

@D3V1LC0D3R commented on GitHub (Aug 11, 2021):

Well if you have a GH account you accepted GH's privacy statement, but if not ...

no accepting a policy does not mean that a company do anything to you. You have to be well informed (or did you know that every github email includes a tracking pixel < img src="https://github.com/notifications/beacon/[ID].gif" height="1" width="1" alt="" / >)

<!-- gh-comment-id:896910954 --> @D3V1LC0D3R commented on GitHub (Aug 11, 2021): > Well if you have a GH account you accepted GH's privacy statement, but if not ... no accepting a policy does not mean that a company do anything to you. You have to be well informed (or did you know that every github email includes a tracking pixel < img src="https://github.com/notifications/beacon/[ID].gif" height="1" width="1" alt="" / >)
gitea-mirror commented 2026-05-05 09:20:21 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 11, 2021):

@rusty-snake commented on Aug 11:

@rusty-snake 's website rewrite solves this afaik.

+1 The only third-partys are fonts.googleapis.com which can be removed

That would be nice and to expand a bit on it: I'm more inclined towards just
using "serif", "sans-serif" and "monospace" and letting the browser use the
native/configured fonts. If custom fonts would make a significant difference,
they could be committed to the repo (preferably fonts under a libre font
license).

and youtube.com which can be made click2play+youtube-nocookie.com

Nice; click2play (/click2loadTheEmbed) would be the most important change IMO,
as it deals with third-party proprietary JavaScript.

I don't know about the pros/cons of youtube.com vs youtube-nocookie.com; the
only site I remember seeing using the latter is Wikia.

or changed to first-party or peertube if we want.

A PeerTube mirror would be great (see #4076).

If by "first-party" you mean comitting videos to a repository, I'm not sure if
that would be a good idea, considering non-trivial video sizes and it might be
against the ToS. If that's workable, I'd put them on a separate repository
(e.g.: firejail-media) to not bloat up the main one.

By the way, since there is no issue tracker in the rewrite repo, should we open
issues about it in here?

<!-- gh-comment-id:897201324 --> @kmk3 commented on GitHub (Aug 11, 2021): @rusty-snake commented on [Aug 11](https://github.com/netblue30/firejail/issues/4465#issuecomment-896521527): > > @rusty-snake 's website rewrite solves this afaik. > > +1 The only third-partys are fonts.googleapis.com which can be removed That would be nice and to expand a bit on it: I'm more inclined towards just using "serif", "sans-serif" and "monospace" and letting the browser use the native/configured fonts. If custom fonts would make a significant difference, they could be committed to the repo (preferably fonts under a libre font license). > and youtube.com which can be made click2play+youtube-nocookie.com Nice; click2play (/click2loadTheEmbed) would be the most important change IMO, as it deals with third-party proprietary JavaScript. I don't know about the pros/cons of youtube.com vs youtube-nocookie.com; the only site I remember seeing using the latter is Wikia. > or changed to first-party or peertube if we want. A PeerTube mirror would be great (see #4076). If by "first-party" you mean comitting videos to a repository, I'm not sure if that would be a good idea, considering non-trivial video sizes and it might be against the ToS. If that's workable, I'd put them on a separate repository (e.g.: firejail-media) to not bloat up the main one. --- By the way, since there is no issue tracker in the rewrite repo, should we open issues about it in here?
gitea-mirror commented 2026-05-05 09:20:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 12, 2021):

By the way, since there is no issue tracker in the rewrite repo, should we open
issues about it in here?

I could enable it, however nobody will see it there.

I don't know about the pros/cons of youtube.com vs youtube-nocookie.com;

https://www.ghacks.net/2018/05/23/why-you-should-always-use-youtubes-privacy-enhanced-mode/

<!-- gh-comment-id:897551579 --> @rusty-snake commented on GitHub (Aug 12, 2021): > By the way, since there is no issue tracker in the rewrite repo, should we open issues about it in here? I could enable it, however nobody will see it there. > I don't know about the pros/cons of youtube.com vs youtube-nocookie.com; https://www.ghacks.net/2018/05/23/why-you-should-always-use-youtubes-privacy-enhanced-mode/
gitea-mirror commented 2026-05-05 09:20:22 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Aug 12, 2021):

to my knowledge it is illegal in germany: https://usercentrics.com/knowledge-hub/non-compliant-cookie-banner/

I think you are confusing uses of cookies (and related requests) with links to third party sites.

<!-- gh-comment-id:897788632 --> @topimiettinen commented on GitHub (Aug 12, 2021): > to my knowledge it is illegal in germany: https://usercentrics.com/knowledge-hub/non-compliant-cookie-banner/ I think you are confusing uses of cookies (and related requests) with links to third party sites.
gitea-mirror commented 2026-05-05 09:20:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 13, 2021):

🚀 Third-parties are removed from https://rusty-snake.github.io/firejail/.

  • fonts.googleapis.com is blocked via CSP (ATM)
  • youtube videos use youtube-nocookie.com (even if this doesn't make any differences because of the next point)
  • youtube videos are click to play/load
  • img.youtube.com is still contacted to fetch the thumbnail. This can be fixed together with all the other images.
  • only the about page is updated so far.
<!-- gh-comment-id:898743316 --> @rusty-snake commented on GitHub (Aug 13, 2021): :rocket: Third-parties are removed from https://rusty-snake.github.io/firejail/. - `fonts.googleapis.com` is blocked via CSP (ATM) - youtube videos use youtube-nocookie.com (even if this doesn't make any differences because of the next point) - youtube videos are click to play/load - `img.youtube.com` is still contacted to fetch the thumbnail. This can be fixed together with all the other images. - only the about page is updated so far.
gitea-mirror commented 2026-05-05 09:20:23 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Sep 13, 2021):

I'm more inclined towards just using "serif", "sans-serif" and "monospace"

I use this:

font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Droid Sans", "Helvetica Neue", Helvetica, sans-serif;

You can find various variations of it online.

<!-- gh-comment-id:918671872 --> @SkewedZeppelin commented on GitHub (Sep 13, 2021): > I'm more inclined towards just using "serif", "sans-serif" and "monospace" I use this: ``` font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Droid Sans", "Helvetica Neue", Helvetica, sans-serif; ``` You can find various variations of it online.
gitea-mirror commented 2026-05-05 09:20:23 -06:00
Author
Owner
Copy link

@D3V1LC0D3R commented on GitHub (Jun 17, 2022):

i guess this is mostly solved, thanx

<!-- gh-comment-id:1158936556 --> @D3V1LC0D3R commented on GitHub (Jun 17, 2022): i guess this is mostly solved, thanx
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2674
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?