Skip to content

feat: handle permanent redirections privately #7

Description

@zefr0x

This is about giving news sources the ability to permanently change their informant parameters. It includes handling permanent HTTP redirections.

The threat is that news sources may exploit it to give each client unique redirection parameters, so if we changed the old ones in the database to the new redirection, it can be used as cookies to track users.

Next are proposed options:

  1. Handling permanent redirections as temporary redirections
    • Do the redirection in every fetch without modifying the original informant parameters in the database.
    • Legit permanent redirections will suffer from multiple round trips at every fetch, wasting resources.
  2. Restrict it to whitelisted redirections
    • HTTP to HTTPS redirection is the only safe one? (as we have more, it will lead to more unique combinations)
  3. Prompt the user for optional migration to the new informant parameters.
  4. Do no.2 automatically while having no.3 as a fallback for non-whitelisted redirections.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions