TriLinder

This post knows where you're viewing it from (Lemmy doesn't proxy external images)

https://lemmy.ml/post/3180964

This post knows where you're viewing it from (Lemmy doesn't proxy external images) - Lemmy

An external image showing your user-agent and the total "hit count" [https://trilinder.pythonanywhere.com/image.jpg]

Aug 11, 2023 at 3:46pmWeb
Show threadTriLinderAug 11, 2023

This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.

Spy pixel - Wikipedia

Show threadWhatAmLemmyAug 11, 2023

This is true for most link aggregators that attempt to render external content. Proxying images and videos would dramatically increase costs.

If you care that much about anonymity, use a VPN/Tor and a browser with advanced fingerprinting resistance — tor browser, mullvad browser, or firefox with resist fingerprinting = true.

Free the internet with Mullvad Browser

The Mullvad Browser is a privacy-focused web browser developed in collaboration between Mullvad VPN and the Tor Project. It’s produced to minimize tracking and fingerprinting.

Mullvad VPN
Show threadveloxyAug 11, 2023
At the very least setting referer policy headers and such would be a good addition.
Show threadHughJanusAug 11, 2023
That’s great except those browsers often don’t work.
Show threadYearOfTheCommieDesktop [they/them]Aug 11, 2023

Hexbear.net stays winning, external embeds are domain whitelist-only until pictrs adds proxying support, and blurred by default. I’d honestly encourage other instances to do the same but it requires dev effort that I know not everyone has, and upstream isn’t quite as paranoid about this stuff.

For reference:

Show threadroonAug 12, 2023
Is there a pull request for it though?
Show threadYearOfTheCommieDesktop [they/them]Aug 12, 2023
as far as I know upstream lemmy doesn’t want it and is waiting on pictrs proxying support. If I’m wrong though our code is public, I’m sure someone would be happy to put together a PR
Show threadTriLinderAug 12, 2023
Cool, didn’t know some Lemmy instances did this
Show threadThordros [he/him, comrade/them]Aug 11, 2023
This ain’t me!
Show threadVHS [he/him]Aug 11, 2023

*removed externally hosted image*

Show threadTriLinderAug 12, 2023
Looks like your home instance hexbear.net is filtering external images.
Show threadDoctorLuvAug 11, 2023
But I’m not on chrome mobile…
Show threadpewgar_seemsimandroidAug 11, 2023
*brave
Show threadUlrikHDAug 11, 2023
Show threadnoneartherAug 11, 2023
It’s the same for me
Show threadjayandpAug 11, 2023

I guess mobile clients screw with their fingerprinting method. Also doesn’t work on Slide.

Show threadFeathercrownAug 12, 2023
It sees my phone fine (Chrome + Android)
Show threadTheLemmingAug 12, 2023
Wait what, slideforreddit works for lemmy now?
Show threaddanifoldAug 12, 2023
looks like sync in the screenshot, i think thats what they meant
Show threadcygnusAug 12, 2023
I guess Donald Rumsfeld was right.
Show threadd3Xt3rAug 12, 2023
This reminds me of those old forum signatures which looked like a signpost, and showed your IP address, browser, OS etc. T lhey were pretty popular back then (when no one cared about their privacy), to the point that some folks even made parody versions of those signatures (like changing the IP to “127.0.0.1” or writing a funny message).
Show threadprocrastinatorAug 12, 2023

My favorite Linux distro: Windows.