Remove etag from HTTP GET requests to prevent tracking. (!436) · Merge requests · F-Droid / Client

username-removed-25042 requested to merge pserwylo/fdroidclient:fix-tracking-issues into master Feb 22, 2017

While we're doing the HEAD request, we also get the etag sent back from the server for caching purposes. In the past we had a more typical workflow of:

Make a GET request to download the file
Attach an If-None-Match to the request with the etag we received from the server earlier.
Possibly receive a 304 (Cached) response.

The reason we don't do this any more is that it allows for servers to send custom etags to different users and thus track downloads made by each user. Thus now we only ever ask for etags and then do our own comparison, rather than sending etags and letting the server decide if they match or not.

Admin message

Admin message

Remove etag from HTTP GET requests to prevent tracking.

Merge request reports