Replying to Avatar LNBϟG

To be honest, I am concerned about the anonymity in Nostr. If you suddenly don't know, then when you view your account through the web version, then:

1) Every relay knows your referrer (site name)

2) Relay knows your IP address, and probably your npub (when there is a request to subscribe to a feed about a certain user - about you yourself)

Also, if you correspond with someone in a personal chat, everyone can find out with whom and how many messages (only they do not know the text of the correspondence). All this is quite dangerous for those who want to remain anonymous. For example, in totalitarian regimes it is very dangerous.
Avatar
shafemtol 2y ago

Regarding referrer, browsers send the `Origin` header on WebSocket connections, revealing the domain name of the client app. Other resources can be loaded without referrer/origin through `Referrer-Policy`. This does not affect the WebSocket `Origin` header.

I did some testing and found a trick: Put the WebSocket client in a sandboxed iframe.

Demo here: https://sha.femtol.net/dev-tests/ws-origin/iframe-sandbox.html (use the browser's network console).

Tested and works on both Firefox and Chromium. It might not work on older Firefox browsers, though.

Reply to this note

Please Login to reply.

Discussion

No replies yet.