That's a different form of defense. The original claim in this thread was that LinkedIn's fingerprinting implementation was making cross-site requests to Chrome Web Store, and that they were reading back the response of those requests.
Firefox isn't susceptible to that, because that's not how Firefox and addons.mozilla.org work. Chrome, as it turns out, isn't susceptible to it, either, because that's also not how Chrome and the Chrome Web Store work. (And that's not what LinkedIn's fingerprinting technique does.)
(Those randomized IDs for content-accessible resources, however, do explain why the technique that LinkedIn actually uses is is a non-starter for Firefox.)
> I suggest everyone take a look at the list of extensions and their names for some very important context[…] I didn't find popular extensions like uBlock
Unsurprising outcome since uBlock (specifically: uBlock Origin Lite, the only version available for Chrome on the Chrome Web Store) makes itself undetectable using this method. (All of its content-accessible resources have "use_dynamic_url" set to "true" in its extension manifest.) So its absence in this data is not dispositive of any actual intent by LinkedIn to exclude it—because they couldn't have included it even if they wanted to.
It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link.
"The code" here you're referring to (fetch_extension_names.js[1]) isn't and doesn't claim to be LinkedIn's fingerprinting code. It's a scraper that the researcher behind this repo wrote themselves in order to create the CSV of the data that they're publishing here.
LinkedIn's fingerprinting code, as the README explains, is found in fingerprint.js[2], which embeds a big JSON literal with the IDs of the extensions it probes for. (Sickeningly enough, this data starts about two-thirds of the way through the file* and isn't the culprit behind the bulk of its 2.15 MB size…)
* On line 34394; the one starting:
const r = [{
id: "aacbpggdjcblgnmgjgpkpddliddineni",
file: "sidebar.html"
In order to create the data source that LinkedIn's extension-fingerprinting relies on to work, someone (at LinkedIn*?) almost certainly violated the Chrome Web Store TOS—by (perversely*) scraping it.
* if LinkedIn didn't get it from an existing data source
Programmers don't appreciate the fact that you can just violate terms of service. You can just do it. It's okay. The police won't come after you. Usually.
I think the point is more "in order to prevent people from scraping their site, which is against their ToS, they scraped some other site, against its ToS".
Indeed. I read a lot of comments like these one you are responding on HN. It seems like there is a type of person who thinks that writing down what their rules are has some magical power.
“This isn’t what it was intended for”. Who cares?
A long long time ago in a galaxy far far away I would encounter warnings on pirating websites saying “If you are an FBI agent you are not allowed to continue on this site”. Imagine their utter disbelief and shock if they were to be arrested by an FBI agent that clicked past the warning anyway.
I agree is must be programmers as a type that like rules a lot and, they think, what a perfect world it could be if people would follow them.
In the first place, no one said they needed to, only that they probably did.
Secondly, it's not "3000 extensions". They didn't somehow magically divine that the 2953 (+/-47) extensions we see here were the ones that they needed to download in order to be able to exploit the content-accessible resources described in their extension manifest. They looked at a much larger set, and it got filtered down to these 2953 that satisfied the necessary criteria.
Lol no, did you even read the list? You could pay someone to just search "LinkedIn" and "talent" and "recruiting" on the chrome web store and download each extension. It's probably harder to automate this than it is to do it manually. This is something you could develop in an afternoon and pay a small team of people to do for pennies on the dollar. Even ten thousand extensions is nothing. Spread that over years and this is trivial.
It's not true. The person you're responding to has a habit of posting implausible-but-plausibly-plausible nonsense, and it's not how this works at all.
I made the mistake of trying to skim the code hastily before I had to leave to run an errand, and yes it turns out I was wrong, but please refrain from the personal comments, and no, I don't have any such "habit."
Wrong again. (PS: The fact that you have now replied—which automatically disables comment deletion—is the only thing that prevented my removing it just now. So great job.)
> The fact that you have now replied—which automatically disables comment deletion—is the only thing that prevented my removing it just now. So great job.
How was I supposed to know that you intended to delete it?
In any case, you may still have time to edit your comment, as I did with my erroneous root-level comment, since I can't delete that either, for the same reason.
Not interested. You also shouldn't have done that. You broke the thread—exactly what HN's no-deleting-comments-that-have-replies check was created to prevent.
I wrote an erroneous comment in haste, which I regret. However, this kind of thing happens countless times every day on HN. It's not unusual. Except perhaps the regret part: unlike me, many of those other commenters admit no error and express no regret.
If you truly cared about HN etiquette as much as you claim, you wouldn't post haughty hyperbole such as "Consider this: just stop being reckless" and "The person you're responding to has a habit of posting implausible-but-plausibly-plausible nonsense," which go against the HN guidelines, as you may already know. Be honest: do you actually care about the thread? Why would you care, when you ridiculed my top-level comment? Who are you trying to save the thread for, posterity? Nobody cares. The thread had already been downvoted to the bottom of the submission, and the top-level comment was misinformation, so I removed it, because no more people needed to read the misinformation or respond to it. Nothing of value was lost, and I thought my action was prudent, but in any case, the term "reckless" makes a mountain out of a molehill.
My impression is that you made a bigger deal out of this than is warranted because you appear to have some kind of strange, unexplained, preexisting grudge against me and take any minor fault as an excuse to bash me personally. I have no objection to correcting a falsehood, but please keep your personal feelings to yourself and the personal attacks out of the comments.
It doesn't work. The person who posted the comment you're responding to has absolutely no idea what he's talking about. He confabulated the entire explanation based on a single misunderstood block of code that contains the comment «Remove " - Chrome Web Store" suffix if present» in the (local, NodeJS-powered) scraper that the person who's publishing this data themselves used to fetch extension names.
> the charter of projects like LibreOffice are fundamentally broken—they're aiming to replace Microsoft Office by cloning it, but Microsoft Office itself is part of a busted paradigm
I'll amend my previous position and say that the charter should be to (a) as much as possible change the menu and dialog structure to match whatever the last "good" version of the Microsoft Office UI was, but still ultimately focus on (b) doing everything I said in those other comments.
I don't know about paradigms and stuff, but I do know that office productivity apps - document writer, spreadsheet, presentation and the others - put together are the second most used 'app' on a PC/laptop after a browser. And that's probably true for just the document writer alone.
I'm a big fan of plaintext (and things like Markdown). But I don't buy the argument that "plain text over the web is the future" or that that combination can or should supplant office.
Also remember that LibreOffice started before Microsoft Office even existed: as StarWriter in the mid-1980s. Yes, there has been a lot of borrowing between computer apps in this domain (and let's also not forget WordPerfect, Lotus 1-2-3 etc.); and I am even willing to entertain the possibility that in 40 years' time we will all be doing something completely different. I mean, I still think people will be writing letters and CVs and reports but maybe the apps would be very different. Anyway, until that time, we need a decent office app, with support for the world's many written languages and their quirks, without spying on users, with multi-platform support, with a decent license etc. - and LibreOffice is that.
> I don't buy the argument that "plain text over the web is the future"
Good thing no one is making that argument. That's a fabricated quote.
> the second most used 'app' on a PC/laptop after a browser
This is supposed to be a rejoinder? You're just undergirding the thing that you're purporting to respond to—that when it comes to the dominance (or, if you prefer, relative importance) of actual multi-/cross-platform ease-of-access between browsers versus 90s-era suites like MS Office and LibreOffice, the office suites lose.
> until that time, we need a decent office app, with support for the world's many written languages and their quirks, without spying on users, with multi-platform support, with a decent license
We do need that. Which is why I described it. And LibreOffice is in a worse position than it should be with respect to filling this hole because of its failure to embrace the actual multi-/cross-platform and ease-of-access benefits afforded by the ubiquity of standard Web browsers and the formats they understand, contra the formats that the 90s-era office suites produce (useless to anyone who doesn't have that office suite or a quasi-compatible one installed).
reply