Twitter avatars, Firefox tracking protection, ssl mixed content, image proxying

If you enable tracking protection in Firefox, avatars in the generated twitter feeds end up getting blocked:

The resource at "[https://pbs.twimg.com/profile\_images/1677325804/newsycbot\_normal.gif"](https://pbs.twimg.com/profile_images/1677325804/newsycbot_normal.gif "Link: https://pbs.twimg.com/profile\_images/1677325804/newsycbot\_normal.gif"); was blocked because tracking protection is enabled.

So, you get a broken image in every post of the feed, which is ugly, but not terrible. Firefox is actually doing a fairly reasonable thing here; unless you have third-party cookies disabled, you’ll get a tracking cookie when you load that image.

Twitter isn’t the only site that has this problem, and you run into similar issues with mixed SSL content (or sites that explicitly reference non-SSL content, like the Boston Globe’s The Big Picture, when you’re viewing NewsBlur via SSL), as well as with ad-blockers and tools like Privacy Badger, and even just sites that are down while you’re reading their feed.

So, a suggestion: have you considered the idea of (optionally) running a proxy for remote assets like this, something like what Google did recently for gmail users? The basic idea would be rewriting (where feasible) inline requests for remote assets in a post to instead retrieve the asset through a NewsBlur proxy/cache, possibly even pre-populated ahead of time for performance in the case of popular feeds.

This has some operational cost (another piece of infrastructure to operate, and particularly in image-heavy feeds, the bandwidth requirements could be noticeable), and there are a ton of implementation details to consider (do you operate an authenticated-but-open proxy, or do you tag individual replaced assets and only proxy for them? how aggressively do you detect remote asset links? etc) but the privacy benefits for users could pretty substantial, assuming your users trust you. :wink:

1 Like

(And, of course, if I’d have searched a little bit, I’d have seen that you’d already suggested doing exactly this two years ago. Sorry; feel free to close this out if it’s not helpful.)