This is the main reason I completely ditched Reddit, if you use the new Reddit interface instead of the old one (old.reddit.com), you’ll see a constant request being made to “https://www.reddit.com/svc/shreddit/events” (open your DevTools > Network tab, can’t see on Firefox idk why).
The problem is, if you add this to your Ublock Origin filters the website won’t load properly, that’s why uBO team didn’t block it already.
You’ll notice this request isn’t only being made from a interval but also when you do basically any action in the site, like pausing or resuming a video (send timestamps of when did you pause or resumed).
It sends other kind of data like what subjects you’re seeing when closed a tab or the related subjects of a post you click, this all can be used to trace a perfect profile of you and things you like.
You can avoid that by using the old.reddit but it still has the same kind of tracker, even tho you can block it here without major issues.
By my analysis, old Reddit interface does the same but to a random URL path that always starts with “reddit.com/api/something”. Ex.: reddit.com/api/friends So you can block anything that starts with “www.reddit.com/api” in your custom filters (after all you’re using old.reddit.com), then you’re mostly free from Reddit trackers (more or less). Side effect is, you won’t be able to use the chat in the old interface.
Reddit sucks for many reasons and I refuse to use it, but as a software engineer, this hardly looks nefarious. That looks like a pretty typical event gateway in networked applications, which is used for all kinds of things to make a platform run. We have one in our application, and it’s not used for any kind of privacy-invasive tracking. We use it for things like bulk data processing for things like userbase-level analytics (like, how many users are using this feature?), or for billing purposes for our customers (since we bill based on usage).
And calls to
/api/*routes are absolutely completely normal for any SPA (single page app), and are required for them to function. There’s certainly a technical argument to be made against SPAs in favor of more traditional server-side rendering (augmented by tools like https://htmx.org/ for dynamic content), which could be used to avoid these kinds of API calls (and, in fact, it’s a model I’m very much in favor of), but that kind of architecture is far from the norm these days. The SPA model is the current (IMO bad, from a technical perspective) standard.We have many reasons to shit on reddit and their behavior, but this honestly isn’t one of them.
The point isn’t the endpoint call, the point is while accessing old.reddit.com it’s making calls to reddit.com, I inspect it closely, reddit.com/api has no use when you’re using old.reddit.com, the calls to the website work are made to old.reddit.com/api, the calls for tracking are made to reddit.com/api. And old reddit isn’t a SPA, you can access it with JS disabled.
I know old reddit is not an SPA, but that’s entirely the point. New reddit is clearly written as an SPA. Old reddit was created before SPAs were super common, so it uses a different architecture.
Yes, so when we’re talking about calls to
/api/*we’re talking about old.reddit.com, I didn’t say anything about calls to this endpoint on new reddit, the problem with new Reddit are calls made tohttps://www.reddit.com/svc/shreddit/eventswith a lot of trackers. It can’t be blocked.Right, and I explained that looks like a very common event gateway kind of architecture, which has many legitimate uses.
Now, it’s entirely possible that Reddit is also using it for tracking shit (because of who they are), but the mere fact that an event gateway exists isn’t evidence of that. Here’s the Wikipedia article on the architecture: https://en.m.wikipedia.org/wiki/Event-driven_architecture.
If you want to believe Reddit is using it merely to make their website to work properly, be my guest.
I have no doubt Reddit is doing shitty things (as evidenced by, well, everything in the last several years), but that’s entirely unrelated to what kind of architecture is involved. You can do shitty stuff with regular JS, cookies, etc. on webpages.
I simply don’t want people thinking that this is actual evidence of wrongdoing, because it isn’t.
You really can’t tell that this isn’t being used for evil practices, personal info is leaving your machine via client-side requests, end of story. You can use your judgement, but by fact, you can’t really tell anything. I wouldn’t trust Reddit, if you trust them good of your.