-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hotlinked images for bookmark cards are a bad practice with numerous issues #12880
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Still an issue. |
Our bot has automatically marked this issue as stale because there has not been any activity here in some time. The issue will be closed soon if there are no further updates, however we ask that you do not post comments to keep the issue open if you are not actively working on a PR. We keep the issue list minimal so we can keep focus on the most pressing issues. Closed issues can always be reopened if a new contributor is found. Thank you for understanding 🙂 |
Still an issue. |
Yeah, but bug reports don't really seem wanted. |
2023 and still a big issue for us as well! |
Still an issue. It also leaks analytics to the linked sites, because with each request of the hotlinking page a request is being made to the linked site and registered in their server logs. Thankfully Ghost uses by default a Probably neither the analytics leaks nor the redirecting is something @ErisDS wants for their customers. If people want to mitigate the problem for at least the favicon, they can use a data URL to embed the icon in the page. A base64-encoded png would be This base64 embedding works in this case, because Ghost's bookmark cards cannot parse data URLs. But it doesn't work retroactively, because the icon has already been linked. |
Closing all open issues if no one is actively working on them is a strange approach. They should close the ones they don't plan to implement, but closing them with no one even taking a look at it is strange. |
Apparently the analytics leakage spreads to third-party newsletters as well, because the newsletter creators put Google Analytics tags ( I think I'll get some popcorn. |
Possible solution :) : |
This is a valid bug, thanks for pinging me - we’ll get it triaged and resolved. |
@JohnONolan You might also think about making the |
Ghost is currently hotlinking images used for bookmark cards: favicons, web manifest icons, Apple touch icons, Open Graph icons, etc. These images break if the site changes the location of the images, which shouldn't break anything as long as they update the references to them. It's also broken by
Cross-Origin-Resource-Policy: same-origin
.Beyond the issues with it breaking, it's also a privacy issue since the user's web browser is loading all these images and passing a referrer header unless the blog has disabled it with
Referrer-Policy
. Each one of these is essentially adding tracking pixels to the page.This is also simply a bad practice overall. Websites don't link having their images hotlinked and it's not how Open Graph is intended to be used. You're meant to fetch the image that's currently referenced to cache it. The site should be able to change the path of the image. A site might replace / update an image and they usually won't have a redirect from the old location to the new one since it's only meant to be used as currently referenced in the HTML.
I'm writing this not as a user of your software but rather someone having their images hotlinked. I noticed Open Graph images were being used via legacy paths through redirects set up for them and investigated why it was happening. I think for now we'll reluctantly set
Cross-Origin-Resource-Policy: cross-origin
for the images that are being used to keep it working but this should really be overhauled.The text was updated successfully, but these errors were encountered: