prevent unintentional leakage of browsing history #6
Description
We should prevent leaking the user's browsing history to the lean-in server unless the user actually wants the browsing history recorded (for example because they are using their own lean-in instance and want to be able to see their history across browsers).
Possible solutions:
- hash host / path separately with a hashing algorithm that has a not-too-low probability of collisions and use those to request comments (documents would be per-user-per-page and must record the full URL they apply to)
- allow the user to whitelist / blacklist domains explicitly, so that lean-in will never try to show comments for your online banking website, for example
- only request comments for pages
- loaded via http (only show local comments or comments downloaded before for pages loaded with https, disallow fetching remote comments / at least show a warning)
- that are the result of a GET
- loaded without URL parameters (some CMS use parameters for every page -- do we need to allow overriding this for some sites?)