This post knows where you're viewing it from (Lemmy doesn't proxy external images) [ARCHIVED]

TriLinder@lemmy.ml to Technology@lemmy.ml – 162 points –

Note: This post now archived and as such no longer works

An external image showing your user-agent and the total "hit count"

24

This is possible because Lemmy doesn't proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.

Note, that the only thing that I willingly log is the "hit count" visible in the image, and I have no intention to misuse the data.

I guess it knows that it's unknown

I guess Donald Rumsfeld was right.

This is true for most link aggregators that attempt to render external content. Proxying images and videos would dramatically increase costs.

If you care that much about anonymity, use a VPN/Tor and a browser with advanced fingerprinting resistance — tor browser, mullvad browser, or firefox with resist fingerprinting = true.

At the very least setting referer policy headers and such would be a good addition.

That's great except those browsers often don't work.

4 more...

Hexbear.net stays winning, external embeds are domain whitelist-only until pictrs adds proxying support, and blurred by default.

Good PSA tho, I'd honestly encourage other instances to do the same but it requires dev effort that I know not everyone has, and upstream isn't quite as paranoid about this stuff.

For reference:

Cool, didn't know some Lemmy instances did this

Is there a pull request for it though?

as far as I know upstream lemmy doesn't want it and is waiting on pictrs proxying support. If I'm wrong though our code is public, I'm sure a dev would be happy to put together a PR,

This reminds me of those old forum signatures which looked like a signpost, and showed your IP address, browser, OS etc. They were pretty popular back then (when no one cared about their privacy), to the point that some folks even made parody versions of those signatures (like changing the IP to "127.0.0.1" or writing a funny message).