Bug #16495
closed
Privacy/visibility restricts Hypothes.is links
Added by Colin McDonald almost 2 years ago.
Updated almost 2 years ago.
Description
It seems that when a site is changed from public to only registered Commons users, links like this no longer work:
https://via.hypothes.is/https://wgs1001su22shaw.commons.gc.cuny.edu/wp-content/blogs.dir/22484/files/2022/07/BornsteinMyNewGenderWorkbook.pdf
A professor is using the "https://via.hypothes.is/" URL prefix to open links to her PDF readings (uploaded to her wgs1001su22shaw.commons.gc.cuny.edu Commons site) in the Hypothesis annotation interface. I see the point that if I'm a Commons user clicking that link for a site that allows me to access it, I shouldn't be blocked.
But is there something about the link structure/routing here that limits being able to track my Commons status? If so, is this something on the Hypothesis side, or can we do something about it? Hypothesis has a Chrome extension and bookmarklet that also call up the annotation interface, and those seem to work fine with the higher privacy level.
Previously: #8944. See specifically https://redmine.gc.cuny.edu/issues/8944#note-3 and follow-up conversation.
The bookmarklet and browser extension are client-side tools. You access the PDF using your Commons credentials, at which point it's a local file; the client-side tools can then operate on it. The via.hypothes.is links are different, because they involve embedding an item in a third-party site, and the third-party site is subject to the Commons's privacy restrictions - unlike your browser, via.hypothes.is is not credentialed to view the content. There's no simple way around this restriction, and in the past we've accepted this as a natural limitation of using Hypothesis on the Commons.
Maybe Ray has other ideas?
Thanks Boone, and sorry, I should have checked the archive on this before posting. I'll pass along your very helpful summary to the professor. Ray, if you have other ideas that would be great, but it's understandable there might be limitations given the structural Commons/Hypothesis interplay.
Maybe Ray has other ideas?
As Boone mentioned in https://redmine.gc.cuny.edu/issues/8944#note-5, we could write an exception to allow via.hypothes.is to access the document URL based on the HTTP referer and if the domain of the referer matches via.hypothes.is. But that would mean it would be technically possible for anyone with a little HTTP header manipulation to access private documents. That's kind of an edge case, but I note it anyway.
Boone, for how to accomplish this technically, I'm thinking we write a small plugin that when activated on a site, it will regenerate the .htaccess file and add the exception for the via.hypothes.is domain. When deactivated, the .htaccess file is regenerated to remove the exception.
Raymond Hoh wrote in #note-3:
we could write an exception to allow via.hypothes.is to access the document URL based on the HTTP referer and if the domain of the referer matches via.hypothes.is. But that would mean it would be technically possible for anyone with a little HTTP header manipulation to access private documents. That's kind of an edge case, but I note it anyway.
Yeah, that would be a concern for me. I think it's reasonable to expect that if you want to use a tool like hypothesis, your content should be public. I don't think it's worth the risk of exposing private documents to accommodate this edge case
Thanks all, I'll get back to the professor with this info. It does make sense that Hypothesis usage would require some sort of open access to the underlying material.
- Status changed from New to Rejected
- Target version set to Not tracked
Also available in: Atom
PDF