Anonymizer breaks fancy-box

[mcnesium]

When using an anonymizer, links to embedded images are anonymized, too. Since fancy-box is doing an ajax request for the image, it gets confused by the server-side forwarding of the anonymizer.

[mcnesium]

Looks like Fancybox 3 does not have this issue. Just tested this in the devtools with adding http://nullrefer.com/? to the href entry of an image on the Fancybox example page.

Can we update this? :)

[jtojnar]

We are already using fancybox 3 in master. Could you try it out?

[mcnesium]

Okay sorry. I just did an npm upgrade and now run fancybox v3.2.5 here as well.

Still, a linked image will not show, instead the default fancybox error message is being displayed:

The requested content can not be loaded. Please try again later

So to explain my research: the old fancybox page runs v2.1.7 and when I edit one of the image links and add https://nullrefer.com/?http… to it in the devtools, the error message above appears.

But on the new fancybox page this does not happen. Instead, the expected image pops up.

I don't know whether this is a fancybox or a selfoss issue

[jtojnar]

I see the error even on the new demo site. Did you by chance not update the URLs in srcset attribute?

Actually, the issue is that nullrefer.com does client-side redirect using JavaScript, which is why it does not work – the browser receives a HTML page instead of an image. You would need to use an anonymizer that does server side redirects.

By the way, you do not need an anonymiser to prevent referrer leak. Since 2.15 (#741), we use a meta tag that prevents sending referrer. Check the browser support at https://caniuse.com/#feat=referrer-policy

[mcnesium]

ok, what about https://nullrefer.mcnesium.com/? which is just this PHP script:

<?php header('Refresh: 0;URL="'.$_SERVER['QUERY_STRING'].'"'); ?>

…

While I was writing this, I doublechecked and found that it does not work either with my own nullreferer.
Also, the fancybox developer replied in the referenced issue that it just "doesn't work" :(

So I guess there are no anonymized images for all of us.

[jtojnar]

Refresh header is weird and will not work with inline resources (images). You can use Location header instead.

---

But note that just like nullrefer, this is not anonymization (hiding the IP address of your browser). The only effect this will have is hiding the referer, which is already done better by the meta referrer tag.

[mcnesium]

Sure I know that this not being proxied or anything, I just don't want every webserver admin to know where I host my selfoss. Yet, I was not aware of the meta referrer tag and that it's already included in selfoss. A quick check with whatismyreferer.com indicates that it seems to work. So is the anonymizer feature obsolete?

[jtojnar]

Yes, it is obsolete. Unless, you really want to use it as a proxy to hide your identity – but that was never reliable.