Living in a state of accord.

The DiggBar Uproar

Recently John Gruber started an uproar against the Diggbar – an URL shortening service that also adds frames. Frames are one of the most annoying inventions ever to come to HTML, even when used by the original site author. When used by third party’s they have a major impact on the usability for readers who can no longer bookmark, copy URLs or see where they actually are. Back in the 90s when frames were accepted practice, nearly every site would have a link saying something like “stuck in frames? click here” to help users get out.

These days frame busting has become much more automatic, and a bunch of people have taken Gruber’s referer matching approach and built it into various types of plugins. One of them being a WordPress plugin by Phil Nelson. Then along came Αριστοτέλης Παγκαλτζής (Aristotle Pagaltzis)1 who pointed out it didn’t play nice with caching proxies. Finally, Faruk Ateş chimed in with a JavaScript solution that simply removes the diggbar rather than blocks the site.

As it turns out, you really need to combine the advice from all three people to do a good job of dealing with the diggbar. Gruber’s approach and Nelson’s plugin work well to block you site being used as the target of a Digg shorturl. Add in Aristotle’s suggestions and you can make it play nice with proxies. However, that still misses the case where someone creates a Digg shorturl to some other site and it then links to you. Readers will wind up coming to you site with the referer set to the other site, not Digg so the content won’t be blocked. Faruk’s JavaScript method will pick up on this though.

So that’s roughly what has now been deployed to The key difference is that the “Vary: Referer” header that Aristotle suggests is only added when the page is blocked. This means it’s possible for someone using the diggbar to get the real page from a caching proxy, but it shouldn’t be possible for an innocent user to get the blocked page. The JavaScript will still catch any diggbar user’s that get through.

I’ve created a github branch of Phil Nelson’s plugin with the combined code and pinged Phil to ask him to pull in the changes2. Since Digg isn’t alone in framing (apparently, FaceBook and a few others do it too), I wouldn’t mind adding them to the block list. The JavaScript should probably be replaced with a generic frame busting script.

1 – I’ll be surprised if that UTF-8 makes it to the browser unharmed but it’s worth a try…

2 – At least, I think I did – half the reason I did this was as an excuse to try out git and github. I know I screwed up in at least a couple of ways but at least the code made it up there ok.

Category: General