Instructions on how to add custom HTTP response headers to common web and proxy server configurations.
https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
Thanks for the heads up. Will implement the opt-out ASAP. As a reminder, Artix doesn't use anything google across its sites (https://forum.artixlinux.org/index.php/topic,1502.msg10519.html#msg10519).
Not to nitpick, but as I use privacy-respecting browsers Librefox and ungoogled-chromium, I noticed that artixlinux.org still makes some requests to google.com. I suggest maybe switching jquery to hosted instead of a CDN, and the same for favicons. Favicons are a potential security risk.
(https://i.imgur.com/GbnfSlk.png)
All our sites have been de-FLoC'ed in httpd. Fontawesome has been made local. Not sure if, how and why favicons pose a problem, they are all local.
The only part that still uses some CDN is the forum software (Elkarte), which is third-party and I don't want (read: can't) mess with it. If you have the time, please audit and report.
From what I can tell, it's not the local favicons of this (and other official Artix Linux) websites that are the problem, but rather those little favicons beside each link. In this page can see requests for:
https://www.google.com/s2/favicons?domain=https://artixlinux.org
https://www.google.com/s2/favicons?domain=https://forum.artixlinux.org
https://www.google.com/s2/favicons?domain=https://nosystemd.org
https://www.google.com/s2/favicons?domain=https://paramdeo.com
https://www.google.com/s2/favicons?domain=https://systemd-free.artixlinux.org
https://www.google.com/s2/favicons?domain=https://wiki.artixlinux.org
From a quick search & lookaround, it seems that jquery can be served locally (https://www.elkarte.net/community/index.php?topic=5249.msg37435#msg37435) and that you can disable favicons next to links (which is the reason for those //www.google.com/s2/favicons URLs) (I haven’t found a discussion about it, but their forum doesn’t show them).
As a non-admin I unfortunately cannot tell how to do it.
Most of the icons next to the links are fontawesome glyphs (a couple are svg/png), which are now served locally (I don't particularly like that, because it consumes unnecessarily high bandwidth and I may revert it in the future if I find a suitably privacy-respecting CDN; hopefully our Cloudflare front caches and serves fontawesome itself). Also, no idea where that paramdeo.com links comes from (I'll grep it later). Are you sure your browser CSS cache is cleared?
I am talking about icons next to links in posts/signatures. If you go through posts from top to bottom (I remove the protocols not to trigger the favicons again)
- link to paramdeo → request to //www.google.com/s2/favicons?domain=https://paramdeo.com
- link to elsewhere on this forum → request to //www.google.com/s2/favicons?domain=https://forum.artixlinux.org
link in your signature → request to //www.google.com/s2/favicons?domain=https://systemd-free.artixlinux.org - etc
Oh, while you were posting this I found the culprit: UrlFavicon Elkarte addon. I'll see if I can find a good alternative to google's service. DDG is incomplete, currently switched to yandex edited to use Github's service (http://favicons.githubusercontent.com/artixlinux.org) .
Why favicons are bad (just one of the pages about this):
https://www.ghacks.net/2021/01/22/favicons-may-be-used-to-track-users/
https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf
In short, they can be used to track users.
In general, any request going through Google (as well as CDNs like Cloudflare) can be filtered through some backend and logged, parsed, etc. along with all the request parameters. It's also why extensions like this one (https://addons.mozilla.org/en-US/firefox/addon/dont-track-me-google1/) exist.
I understand your concern and I'm on the same boat. However, we currently lack the manpower and the infrastructure to shield our sites from attacks that Cloudflare conveniently deters. More over, privacy-conscious users already know how to protect themselves (as you have clearly pointed out) from this level of tracking and, honestly, Artix can't do much more to protect unsuspecting users: if they don't fingerprint you here, they'll fingerprint you at the next site you visit.
Having said that, we are always open to suggestions but even more so to contributions. There's this nice project (https://github.com/keeweb/favicon-proxy) which we could deploy, but (since my Javascript skills are next to zero) I would accept all the help I can get setting it up.