Boing Boing BBS' tracking pixel is untrustworthy, according to browser

No, not in the Snopes sense, but in the sense that Safari will not load some scripts due to invalid certificates. This is especially ironic for a site whose editors and audience are concerned about privacy and spoofing.

From the console:

 [Error] XMLHttpRequest cannot load https://bbs.boingboing.net/message-bus/d0a4851dbf744cdc8ce36aca8413d99b/poll due to access control checks.
	send (ember_jquery-a8dcbd325e04410f036f2a791d66d8316c48c5387acdd914de99a5dd6afb3cd3.js:3:16194)
	ajax (ember_jquery-a8dcbd325e04410f036f2a791d66d8316c48c5387acdd914de99a5dd6afb3cd3.js:3:12619)
	n (vendor-057c8aaf728aa3bc264d5ff93a70e003efe4f4ecdc16ba0a02d452e6e3ef4402.js:1:18763)
	(anonymous function) (vendor-057c8aaf728aa3bc264d5ff93a70e003efe4f4ecdc16ba0a02d452e6e3ef4402.js:1:17895)
[Error] Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “edge.quantserve.com” which could put your confidential information at risk. (quant.js, line 0)
[Error] Failed to load resource: the server responded with a status of 503 (HTTP/2.0 503) (browser-update-f57286e74ddbc53aa899689b01ef467078911e4138050c561939955849af35dd.js.map, line 0)

Come on, guys, you are supposed to be better than this!

We (as in Boing Boing) don’t host the BBS, the @discourse folks do.

Discourse folks, any insight?

Then consider this a gentle reminder, as it is breaking the infinite scrolling on Safari with default settings, and unfortunately you guys are going to get blamed.

I just want to applaud your use of the monocle icon.

Bravo Old Horse! Bravo!

PS: edge.quantserve.com

That’s not us either…we don’t have quant.js in Discourse, or in
Message-Bus. Feel free to examine the codebase yourself:

Perhaps a malicious browser extension, an ad blocker, a firewall…?

Josh

A little bit of digging, and it seems it’s a tracking pixel served by “edge.quantserve.com” was the culprit. At least I suspect it’s a tracking pixel from when I went to their corporate site and saw their spiel about knowing your audience, yadda yadda yadda.

So apparently the tracking pixel code was to blame, and it seems they fixed their certificate.

EDIT:
Actually, it is still a problem…

Screen Shot 2017-10-02 at 15.41.11.png1392×889 273 KB

Oh yeah, I updated the title as well. And I am glad you posted a link to the source code, as I had been meaning to poke around in it despite my rudimentary knowledge of Ruby.

You can view source to see what it is…

<!-- BB analytics -->
<script type="text/javascript">
    (function () {
        var host_proto = "https://";
        // Quantcast
        _qoptions = { tags: 'Entertainment', qacct: 'p-9dsZX-5zhUuTg' };
        var __qc_req = document.createElement('script'); __qc_req.type = 'text/javascript'; __qc_req.async = true; __qc_req.src = host_proto +'pixel.quantserve.com/seg/' + _qoptions.qacct + '.js';
        var __qcs = document.getElementsByTagName('script')[0]; __qcs.parentNode.insertBefore(__qc_req, __qcs);
        var __qc_req2 = document.createElement('script'); __qc_req2.type = 'text/javascript'; __qc_req2.async = true; __qc_req2.src = host_proto +'edge.quantserve.com/quant.js';
        var __qcs2 = document.getElementsByTagName('script')[0]; __qcs2.parentNode.insertBefore(__qc_req2, __qcs2);
    })();
</script>

Yeah, that’s classic tracking pixel stuff, the “paste this into your template as is” that I have also had to create on my day job. At least my current employer doesn’t make this but instead uses a redirector to let its clients trace raw clicks from traffic sources.

Full disclosure, I am a front end engineer for Refined Labs, a Visual IQ subsidiary which just got bought out by Nielsen last week.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.