elements icon indicating copy to clipboard operation
elements copied to clipboard
verified publisher icon stoplightio

"Powered by stoplight" shares spec data with stoplight.io

Open dodedodo opened this issue 4 years ago • 3 comments

Hey,

First of all, thank you for open-sourcing elements.

I've noticed that the "Powered by stoplight" buttons shares information about the OpenAPI specification with stoplight.io. utm_medium contains the API title, and utm_content contains an OpenAPI operationId. What are you using this data for?

I feel like some users might find this 'hidden' sharing of their spec with stoplight.io to be invasive. Especially if that spec would be an internal document.

Would you consider anonymizing the data you're collecting from this link even further?

dodedodo avatar Aug 22 '21 23:08 dodedodo

Hey @dodedodo, thanks for pointing this out. Our primary goal with the UTM is to attribute the source of traffic to Stoplight both within the OSS offering and Stoplight Platform. The Operationid looks like extra information that we can possibly skip.. For that we are thinking of changing the medium to domain and content to API title. Thoughts on that?

mnaumanali94 avatar Aug 23 '21 18:08 mnaumanali94

I understand your need to gather usage info. But I'm personally not completely comfortable sharing any details of my API spec, including the name and domain. I'm also curious, would sharing of domain disclose filesystem paths if elements runs from a local HTML file? Changing the API title from utm_medium to utm_content doesn't really change much from a user's perspective.

Imagine having an IoT-like API to open and close a city bridge. Even though it should be secure, I imagine it'd be bad practice to announce its existence to anyone. That's essentially what the link could accidentally do by disclosing the domain/api name/functionId.

dodedodo avatar Aug 24 '21 12:08 dodedodo

When asked "what companies are using Elements" our answer was "we don't know", because we didn't want to do anything sneaky to find out. No tracking pixels, no CDN redirect tricks, nothing along those lines. The UTM stuff was a bit of a miscommunication, as whilst it's by no means a security issue (you cant do much by knowing a company called their User API "User API"), we don't use it for anything. The intention was to use IDs, which are entirely opaque strings and if a project is private then they cant see what it is anyway.

@mnaumanali94 could we bump up the priority on this and get projectId in there instead of the current stuff?

philsturgeon avatar Oct 01 '21 15:10 philsturgeon