Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy: Integration list leaked even with analytics disabled #17721

Closed
3 tasks done
esev opened this issue Aug 27, 2023 · 2 comments
Closed
3 tasks done

Privacy: Integration list leaked even with analytics disabled #17721

esev opened this issue Aug 27, 2023 · 2 comments

Comments

@esev
Copy link
Contributor

esev commented Aug 27, 2023
edited
Loading

Checklist

  • I have updated to the latest available Home Assistant version.
  • I have cleared the cache of my browser.
  • I have tried a different browser to see if it is related to my browser.

Describe the issue you are experiencing

When visiting the /config/integrations/dashboard page, information about the integrations I have loaded is sent to brands.home-assistant.io. This happens even when all analytics are disabled in /config/analytics.

Describe the behavior you expected

If analytics reporting is disabled, Home Assistant should not expose/report information about the loaded integrations. I'd expect the brand icons to not be loaded from a remote location if the user has disabled analytics reporting. Maybe show a generic icon, or no icon, in this case.

Steps to reproduce the issue

  1. Visit the /config/analytics and disable all analytics reporting
  2. Open network inspect developer tools in the browser
  3. Visit the /config/integrations/dashboard page
  4. Observe brand images are loaded from brands.home-assistant.io for each integration enabled in Home Assistant.

What version of Home Assistant Core has the issue?

core-2023.8.2

What was the last working version of Home Assistant Core?

No response

In which browser are you experiencing the issue with?

No response

Which operating system are you using to run this browser?

No response

State of relevant entities

No response

Problem-relevant frontend configuration

No response

Javascript errors shown in your browser console/inspector

No response

Additional information

This seems related to #17560 & #15440.

Note: I don't believe this is a high-priority issue. It just seems like unexpected behavior for users who have disabled analytics reporting. I only noticed it after adding a CSP header similar to the person who reported #15440.
@steverep
Copy link
Member

steverep commented Sep 6, 2023

AFAIK, access logs for brands.home-assistant.io are not analyzed, and even if they were, it would be a completely unreliable way to know which IP has which integrations installed, as images might get requested just for checking out an integration or its documentation.

Also, the images are all loaded with a "no-referrer" policy, meaning the website origin making the request is not exposed. (The couple cases where it accidentally wasn't are fixed in #17840.)

@bramkragten
Copy link
Member

If would scroll through the list of integrations in the add integration dialog you will also fetch these images, it says absolutely nothing about what integrations you have installed.

But you can always block access to brands.home-assistant.io if you want.

@bramkragten bramkragten closed this as not planned Won't fix, can't repro, duplicate, stale Sep 6, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Sep 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@esev @bramkragten @steverep