#522 Remote URLs that include PRIVOXY-FORCE


Sites can accidentally or intentionally include URLs constructed with /PRIVOXY-FORCE in them and will auto bypass Privoxy. The string should be stripped from incoming URLs. Many blog entries from Privoxy users accidentally paste ad URLs with the string and this site:
demonstrates an intentional use.

Perhaps it could be done with a filter, but it seems like it should be an internal default.

SF login gbsi3
Firefox 3.6 Privoxy 3.0.16 Win XP SP3


  • Fabian Keil

    Fabian Keil - 2010-03-04
    • labels: 340250 --> funct: blocking
    • milestone: 1069604 -->
    • assigned_to: nobody --> fabiankeil
  • Fabian Keil

    Fabian Keil - 2010-03-04

    Thanks for the report. Please have a look at:

    Anyway ...

    If you are using Privoxy default.action, websites you visit can also embed a bunch of URLs the default configuration blocks to detect if you are using Privoxy, just like they can do for any other ad-blocker that actually blocks anything. If you are concerned about this, you shouldn't be using an ad-blocker.

    Even if you configured Privoxy to not block anything, its reaction to various kinds of input will likely be different enough from other HTTP clients to detect it. If you are concerned about this, too, you shouldn't be using Privoxy or HTTP clients in general, as they pretty much all behave slightly different and can thus be detected by site operators that care enough to take the time to fingerprint them. Of course TCP/IP stacks have fingerprints too, so staying away from HTTP clients might not be good enough.

    It's on the TODO list to augment or replace the fixed force prefix with a random string, but it currently doesn't have a high priority and it certainly will not "fix" the "problem" that websites can detect that the user is using Privoxy.

    Stripping the forced prefix from server responses doesn't solve anything as it could be detected just the same.

  • Alan Stewart

    Alan Stewart - 2010-03-04

    Actually, I'm not concerned if Privoxy can be detected - that was just what was demo'd. And ads aren't really my concern, either. It's malicious links with the PRIVOXY-FORCE string, probably in a blog, that I stumble into.

    Using enforce-blocks eliminates the ability to go to "good " links when needed.

    What I did do, is patch the strings to some other fixed value than PRIVOXY-FORCE. How about a config entry for the user to select a fixed value, rather than random?


  • Fabian Keil

    Fabian Keil - 2010-03-10

    The string used can show up in referrer headers and can also be figured out remotely with various tricks so having a constant one that is unique per user sounds like a bad idea to me.


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks