Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Feature Request] Add option to toggle off news fetching

See original GitHub issue

Feature Request

Is this feature request related to a problem?

DarkReader silently sends a POST request to darkreader.github.io which is redirected to darkreader.org a proprietry website as far as I know.

This poses a privacy issue, For the sake of the argument lets suppose that the owner of darkreader.org decides to take nefarious actions and track users without consent, In that case, I could not know about that unless im told to.

So as far as things currently are, DarkReader could be classified as a spyware, unfortunately. It collects user’s data (including IP which is not anonymous).

Screenshots

Location in code: ./src/background/newsmaker.ts:56 https://github.com/darkreader/darkreader/blob/0097a6d4c32fae10f13bbe8236d89e53a25191a8/src/background/newsmaker.ts#L56

Additional Context

I could suggest few options:

Transparency over darkreader.org backend
Toggle switch option for connecting to darkreader.org

Bonus: disable news fetching by default and issue a request only upon clicking “Get news!” or “What’s new?”

A similar discussion took place on Etcher’s github page: https://github.com/balena-io/etcher/issues/2977

Please enlighten me if there was any mistake in my statements. I’d like to amphasize that im a big fan of the work done on this project, it is really outstanding and i wish for it to become much more popular, please give users the privacy that they deserve.

EDIT: Typo and link to Etcher issue

Issue Analytics

State:
Created 2 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

bershanskiycommented, Aug 30, 2021

@codeswhite I’m pretty confident that commit which makes news fetching optional (#4472) will be included in the upcoming Dark Reader release.

1reaction

bershanskiycommented, Aug 29, 2021

@codeswhite wrote:

For the sake of the argument lets suppose that the owner of darkreader.org decides to take nefarious actions and track users without consent,

Browser extensions are in a sense the worst XSS threat that that web has ever faced. If you installed an extenison with <all_urls> and tabs permissions, than you have a much bigger problem on your hands than a benign server ping for recent blog post titles.

I agree! I’ve already opened up a PR to disable this news feature #4472 I just still need someone to code-review it and test it out before I can merge it with a guarantee that it works.

I glanced over that PR and it looks reasonable. It just needs to be updated to use chrome.alarms instead of clearInterval and clearInterval. If you have time to resolve merge conflicts and migrate to chrome.alarms, I can do a proper review, test this manually and add unit tests.

Also, we should make sure Dark Reader does not store extra uniquely identifiers like user id/session cookies, uniquie HTTP ETags, etc. The fetched URL contains (new Date()).toISOString(): https://github.com/darkreader/darkreader/blob/0097a6d4c32fae10f13bbe8236d89e53a25191a8/src/background/newsmaker.ts#L56 Is this really necessary? Off the top of my head, I do not see any legitimate reason for it. If user’s and server’s time is accurate, this value should match. If user’s time is not accurate, it might be somewhat uniquelly identifying. If this is used to force cache off, it is probably redundant.