On Sun, Jul 1, 2018 at 4:24 PM Barak Korren <bkorren(a)redhat.com> wrote:
On 1 July 2018 at 15:41, Nir Soffer <nsoffer(a)redhat.com>
wrote:
> After watching Sarah Bird's great talk about the terrifying web[1], I
> found that for
> some reason 3rd party cookies were enabled in my browser.
>
> After disabling them, I found that gerrit is using 3rd party cookies from
>
gravatar.com.
> (see attached screenshot).
>
> Why do we allow 3rd parties like gravatar to set cookies?
>
We don't "allow" 3rd parties. For a 3rd party to be able to set cookies on
your site you need have some elements on your page that make the browser
pull content from them. In the case of Gravatar what we have are <img> tags
with "src" attributes that contain URLs that point to Gravatar and contain
one-way hashes of user email addresses. Those URLs resolve to the users
avatars if they registered their emails with Gravatar.
This is just how Gravater works - its very simple and reliable, to have it
work differently would require complex and fragile server-side code on our
side and would probably be prone to more security issues then the current
system.
The only 3rd-party we engage currently is Gravatar, I've no reason to
believe the engage in any sort of tracking. The maintainers of Gravatar are
also the maintainers of Wordpress, one of the bigger open-source
poster-child projects, which is all about people hosting their own stuff
rather then catering to the requirements of proprietary gate-keepers like
Facebook and GitHub (Now Microsoft...)...
Bottom line, I've strong reason to belive this is false alarm.
Why not ask gravatar about this?
>
> Can we use gravatar without setting cookies?
>
This looks like a simple session cookie, try to log out of your acocunt on
Gravatar and see if it vanishes...
I'm not logged to gravatar.
> [image: Screenshot from 2018-07-01 15-31-37.png]
> [1]
https://il.pycon.org/2018/schedule/presentation/18/
>
> Nir
>
> _______________________________________________
> Devel mailing list -- devel(a)ovirt.org
> To unsubscribe send an email to devel-leave(a)ovirt.org
> Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
>
https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/H5RSJINV7WK...
>
>
--
Barak Korren
RHV DevOps team , RHCE, RHCi
Red Hat EMEA
redhat.com | TRIED. TESTED. TRUSTED. |
redhat.com/trusted