Kinda proud of this, so forgive me while I brag. I found a likely “phone home” tracking image in DocuSeal. I searched around: there was an extant issue about the image. I asked the devs: would they accept a PR to remove the image? A maintainer responded quickly that they were not interested in a PR to remove it, so I forked it in minutes with my tiny hack, built a new Docker image and re-deployed to my server after making a one-line change in a Docker Compose file.
Here’s the hack: https://github.com/meonkeys/docuseal/commit/e710678d
Happy to share my compose config as well if folks are interested.
I do want to put in a plug for DocuSeal: they made an excellent thing. It’s a fast and beautiful app for adding signatures to PDFs, similar to DocuSign or HelloSign, but awesomely AGPL licensed and easy to self-host. I got it running in minutes and it worked very well. I support what they’re doing and I want to see them succeed. OpenSign looks cool too but I haven’t tried that one yet.
So yeah. Self-hosting and FOSS FTW!
cross-posted to: reddit r/selfhosted (there’s no additional content in the post at that link. Sorry, I should have posted on Lemmy first! Anyway, above is the copy/pasted post so you can get it without having to use reddit)
Friend, please listen to reason.
The “code” you linked to is not functional code of any sort. Not to be nitpicky, it’s just an HTML image tag, so its Markup at best. All you did was stop the loading of an SVG image. The fact that they source it from their own domain tells you everything: they have a script that runs to check the current number of stars, then generates this image that reflects that. SVG is an image format. It’s really standard.
All your other points you’re making because you do not have much experience in the software realm, which I’m not saying to be dismissive or anything at all, I’m simply illustrating that all the points you’re questioning or mentioning are 100% standard.
Also, you might want to freak out about the social badges being sourced in this as well. This isn’t a “privacy first” project or anything. They aren’t doing anytweird, you’re just misunderstanding some things.
Loading external images will reveal to the site where it’s loaded from at least these things:
Also it can set third-party cookies which can be used to track specific user.
I don’t know if this project processes any of that data, but outside images can be used for tracking purposes.
At least it would be a good idea to limit some of this things for that img tag by setting some attributes that prevent referrer and cookies from being sent.
AGAIN.
This is not “phoning home” as claimed. It is not a SECURITY RISK as claimed. It is a privacy want/complaint/nag at the very VERY least. THIS IS ALSO NOT A PRIVACY FOCUSED PROJECT.
Refer to the original comment, and realize this was being run in a container. So, what…it’s a risk to have libcurl ide tidied on your server? Your IP address is so damn private and important? Literally nobody cares.
Y’all need to get better hobbies, seriously. Probably just need to get off the Internet if this is the stuff causing consternation in your lives.
Just to play devils advocate for a minute- Loading from their own domain means they can actually garner quite a bit of information from just the serving of the svg:
Date/time/IP are good enough for getting pretty good estimates of who all uses their software. Doesn’t matter if they are or aren’t using that data- it is being sent to them on their own accord and terms. The public has no way of knowing.
And this is all perfectly acceptable, as long as you do one of the following:
All of this doesn’t really matter if the dev isn’t willing to change anything about the remote image.
But a fork?? Yeah, totally unnecessary. You can take easily care of this at the reverse proxy layer by preventing the svg (or anything else for that matter) from being served. Just serve a 404 or something instead or do a regex replace and remove it altogether from the page prior to serving.