Whitelisting google.com leaks to pages framed by Google image search
When I disable Ghostery on google.com and I click an image search result it goes to the image preview screen and allows all the trackers from the original website.
-
Greetings Beno,
Thanks for using Ghostery!
Are you using Chrome? are you actually disabling Ghostery in your extensions menu or pausing? -
-
-
-
-
Alright I figured out what it's doing - it's attributing and allowing the trackers from an iframe holding a different domain, to the domain you're browsing.
It's not specific to Google images, they just happen to have iframes with external websites in them.
You can reproduce it by making a html file with in it and uploading it to anywhere except Mashable:
-
-
I think the problem is I expect different behavior when it's a website in an iframe - it doesn't make sense that the 2nd website inherit the settings from the first. When it's an advertisement or social button or w/e the behavior makes sense.
-
-
Hi beno1234,
I see what you mean, but I am not sure what to do about it. Whole pages getting framed is a bit of a corner case. We might have to do something special for site whitelisting on Google Image Search and some other places like it. -
-
You could try providing more specific URLs to Ghostery's whitelist (on the options page) as a workaround. For example, instead of whitelisting google.com, you could whitelist google.com/ig to exempt iGoogle from blocking.
-
-
In hindsight I think page vs widget was a red herring, there are a lot of embedded things that can take advantage of this although the only one I noticed doing so is Disqus - they use Google Analytics and Scorecard Research via disqus.com in an iframe if you're browsing a page on a whitelisted site. Wikipedia says they're used by 750,000+ websites.
Embedded content from YouTube, Google Maps, Facebook comments and like buttons, Twitter, Google Plus etc could also include trackers if they wanted to.
What about looking at the iframe parentage and blocking anything that's not directly on the page on the domain I whitelist -
domain1.com is whitelisted
-> domain1.com/page1.html google ads is allowed
-> domain1.com/page1.html iframe of domain2 is allowed, BUT
-> domain2.com/page2.html google ads remains blocked unless I whitelist domain2
-> domain2.com/page2.html chartbeat remains blocked
It could also be mitigated a bit if whitelisting only allows the originally identified services to be unblocked, although common stuff like GA and AdSense would probably slip through a lot plus dependency hassles maybe. -
Loading Profile...



Twitter,
Facebook, or email.

EMPLOYEE
%203.04.17%20p.m._inline.png?1355580272)
CHAMP
