HackerTrans
TopNewTrendsCommentsPastAskShowJobs

bryanmccann

no profile record

comments

bryanmccann
·3 years ago·discuss
The Firefox extension is only there to make it easier to set you.com as the default search engine in the browser. It is possible to do this manually by changing settings, but a lot of our users would prefer to just install an extension instead. Link: https://addons.mozilla.org/en-US/firefox/addon/you-com/.

The desktop Chrome extension (https://chrome.google.com/webstore/detail/youcom-search-chat...) has some additional functionality. It lets users easily switch their default search engine between you.com, our new youchat feature, and our youcode mode. It also has quick shortcuts to some of our most popular apps, like YouImagine (which is an image generation app, like Stable Diffusion).

For mobile, we have our own custom mobile browsers apps on iOS (https://apps.apple.com/us/app/you-com-search-and-browser/id1...) and on Android (https://play.google.com/store/apps/details?id=com.you.browse...) where we pack in a lot of additional features since as you mention there are no extensions for Chrome mobile and Safari extensions are somewhat hard to install.
bryanmccann
·3 years ago·discuss
Hi there this is Bryan, CTO at you.com This post is not true: the you.com extension does not inject tracking beacons across the web or locally.

I went back and looked at the open source code, and I can see how someone might misunderstand what is happening so I will clarify here with pointers to the open source code as well. The Firefox extension should be unminified too, so anyone who has it installed can check that the code I'm referring to is represented in that open source repository I will link to below.

Let's walk through the extension code, starting with the relevant part of the manifest.json:

"content_scripts": [ { "matches": ["://localhost/", "://you.com/", "://.you.com/"], "js": ["content-script.js"] }

This says that on domains that match ["
://localhost/", "://you.com/", "://.you.com/"], we run content-script.js.

source: https://github.com/You-OpenSource/You-Firefox-Extension/blob...

In content-script.js we have:

``` let beacon = document.createElement("div"); beacon.className = "you-firefox-addons-beacon" document.body.appendChild(beacon); ``` https://github.com/You-OpenSource/You-Firefox-Extension/blob...

So if you are on localhost or a you.com owned domain (certainly not "across the web"), we add a div to the page that does nothing by itself. We do this so that our client side code can detect whether you have the extension when you are on you.com and other you.com subdomains. We had the localhost in there for convenience while developing and should have removed it before publishing, but to be clear, even with that localhost match in the code, there is still no tracking, not across the web and not locally. We'll take the localhost match out out though to avoid any confusion.

We unfortunately named that div "you-firefox-addons-beacon", which I think misled the original poster to think we were doing something with the Beacon API (https://developer.mozilla.org/en-US/docs/Web/API/Beacon_API). But we are not. It is just an empty div that our client side code checks for when it loads the page for you.com domains and subdomains so you don't see the "Install extension" buttons and things like that once you have the extension. We will change the name so that it does not create this misperception moving forward.

And to address the downstream concerns in the other comments, we don't track users around the web. We don't use tracking to provide personalized search results -- we use the App Preferences feature that is available after someone signs up.

I'm glad that it is newsworthy that our search engine and browser plug-ins don't spy on our users! Please check the source code if you'd like: https://github.com/You-OpenSource/You-Firefox-Extension and spread the good word!
bryanmccann
·4 years ago·discuss
I won today with no undos and I'm more proud of that than winning any wordle, heardle, semantle, or any of the rest. Came down to 2 words remaining, one more guess. Phew! Great game; thanks for making it!
bryanmccann
·4 years ago·discuss
Looking at that page, it appears we load a font from Google for about.you.com. Thanks for flagging! We'll get rid of that.

We do use CloudFlare for our CDN, DNS name server, JavaScript caching, and DDoS protection. We're not planning to move off of CloudFlare any time soon, but we've worked with them to ensure that they do not store user queries in their logs (completely masked out), they redact the last part of user IP addresses so no individual IP address is stored while keeping the benefits of bot detection and DDoS protection, and their javascript analytics tracker is turned off so there shouldn't be anything CloudFlare client-side.

Thanks again for the time you took looking into all this! It's great to have people out there that care enough to look and report what they find. Much appreciated.
bryanmccann
·4 years ago·discuss
Hello! Checking in from you.com on this. For the FAQ page, is this the page you were looking at: https://about.you.com/faq/ ? I want to make sure I'm looking at the exact same page.
bryanmccann
·5 years ago·discuss
Hi Tyriar,

Just wanted to provide some more info on the background service worker, though if you've pulled the code you've probably already seen the same.

Right now that worker does two things. It redirects to a survey if you uninstall the extension (going away in the next update once it makes it through the webstore review), and it allows detection of the installed extension since its required in Chrome unless you search from the url/navbar.

And just so there's full details on the restriction here too:

We determine if the search is from the url/navbar only through that fromSearchBar query parameter, so either manually entering the url without that query param, following links without that query param, or by setting your default in your settings manually and searching from the url/navbar will all work. It is just that search bar on the page that gets disabled without the extension. There's also no restriction right now on non-Chrome browsers or in a Chrome Incognito Window.

Thanks for digging in, bringing that up for clarification, and for your proposal!