[HN Gopher] Tell HN: Toptal's HTML minification API occasionally...
___________________________________________________________________
Tell HN: Toptal's HTML minification API occasionally injects
tracking JavaScript
Just a heads up for anyone using their API - about 1 in 5 requests
will return with Cloudflare Insights tracking JS. It's not
mentioned anywhere in the API documentation, Privacy Policy, or
ToS. Fairly certain this is the package they based their service
on https://github.com/tdewolff/minify Edit: Here's a tweet I
posted with a screenshot of the code: https://twitter.com/cullend/s
tatus/1575243757624360960?s=20&t=JVhqXDJExBnrEVOXeFH4Jg
Author : cududa
Score : 60 points
Date : 2022-09-28 22:05 UTC (54 minutes ago)
| Alupis wrote:
| I really would like to know why anyone would use an API to minify
| javascript/css/html instead of using a local library, built-in
| webserver features, or relying on some front-end service like
| Cloudflare.
|
| Feels like we've jumped the shark if you need to send un-minified
| stuff to another server to get minified, sort of defeating the
| point in the first place...
| simlevesque wrote:
| Closure compiler has been a thing since forever. Some people
| don't want to fiddle and don't care about owning their tools.
| cududa wrote:
| Well the API was easy to implement, took minutes. Was more just
| out of convenience for producing a lot of assets that then get
| served to a lot of people. None of it ever went into production
| because we caught the requests pretty quickly this morning. As
| well, most of the python packages would mangle the minification
| - the one I linked to in the top post works great -
| documentation isn't up to date for python, but not horribly
| hard to setup
| bagels wrote:
| Using some node library you pull down is still vulnerable to
| exactly this same kind of injection attack vector.
| Alupis wrote:
| Except you're not then pounding on some pet side-project
| "API" stood up by a poaching agency...
|
| Seems insane anyone would even entertain the thought... it's
| trivially easy to minify whatever you want right within your
| app.
|
| And now here's OP bagging on this company for not disclosing
| this in some ToS or whatever, even though OP is the one
| abusing a free, obviously not-serious service.
| vlunkr wrote:
| It's like left-pad.io but real. Incredible
| joshmn wrote:
| My guess as to what is happening:
|
| 1. Toptal uses Cloudflare for DNS
|
| 2. Toptal uses Cloudflare Insights, which automagically inserts
| the tracking snippet of
| `https://static.cloudflareinsights.com/beacon.min.js/\\\*`
|
| 3. You send the request to Toptal and somewhere along the line,
| Cloudflare misinterprets the request and injects the tracking
| code
|
| It's not anything nefarious by Toptal. It's not their minify
| script. It's a misconfigured page rule, or similar. It's a bug.
| codegeek wrote:
| I think it is part of cloudflare's browser insights which is now
| part of their "Web Analytics". You will see this almost with any
| site using cloudflare that has web analytics enabled.
|
| https://community.cloudflare.com/t/beacon-min-js-as-malware/...
|
| https://developers.cloudflare.com/analytics/web-analytics/
|
| The site owner needs to configure cloudflare correctly to add
| analytics on certain pages only otherwise cloudflare injects it
| by default.
| Nicksil wrote:
| Good lookin out. Appreciate the heads-up.
| Bilal_io wrote:
| Are you sure that's not Cloudflare injecting the JS it on behalf
| of TopTal because they have CF analytics enabled?
|
| But I agree with your point, this should have been mentioned in
| their ToS and/or Privacy Policy.
| cududa wrote:
| Can't be sure, but that would be rather frightening if
| cloudflare is just injecting JS willynilly
| joshmn wrote:
| If CF is acting as a reverse proxy as it so often does --
| it's one of their core features -- it's not exactly
| willynilly.
| zo1 wrote:
| This is 90% in similarity to one of the top reasons we are
| pushing for HTTPS and DoH! The supposed "ISP" inserting
| "stuff" into our requests. Would be 100% except it's 5%
| less because the server "agreed" to it, and another 5%
| because it's not ads, just "tracking js". Maybe knock off
| an extra 80% because it's "Cloudflare" and they're the new
| "do no harm" giant like Google.
| Alupis wrote:
| jffry wrote:
| If you proxy your site through Cloudflare and turn on
| Cloudflare analytics, its default behavior appears to be to
| automatically add the JS tag for you in HTML responses [1]
| (you can also disable that and manually add the tag to your
| HTML)
|
| They provide a lot of this type of thing - rewriting HTML
| responses with optimizations "at the edge" instead of you
| doing it at your origin.
|
| [1] https://developers.cloudflare.com/analytics/web-
| analytics/ge...
___________________________________________________________________
(page generated 2022-09-28 23:00 UTC)