cp.jpgEvery time I copy something to the clipboard from SF Gate, it automatically inserts a bunch of extra text, including the URL. Totally annoying! How do I stop it from doing that?

You’re in good company; even digital anthropologist Ariel Waldman is irked by the Gate’s copy/paste add-ons. “Hey @sfgate,” she recently tweeted, “it’s really annoying 2 append “read more: [link]” 2 text that I copy/paste from your site. Please honor how c/p works elsewhere.” In an email to the Appeal, she added that this practice is “lame, to say the least, and makes people want not to share their stuff at all.”

So, we’ve established that it’s annoying. But what’s going on, exactly? According to Appeal staffer Jackson West, this is a case of simple cross-site scripting. While West believes the Gate’s scripting looks more or less harmless, he says it would be a cinch to hijack, either by someone who works for the Gate or externally by a hacker. “If the Twitter kids can be so compromised,” West wrote to me in an email, “I’d hate to think what a half-assed script kiddie could do to the Gate.”

But, West says, there’s no need to run an anti-virus check every time you visit the Gate. While cross-scripting can “theoretically be exploited in all sorts of questionable ways — sort of like the Internet,” it’s in use all over the place. Browsers like Flock and Firefox do similar things, and even sites like Whitehouse.gov use scripting to track data (although they use Flash tracking, which West says is even “creepier”).

“Ultimately,” he writes, “[the SF Gate’s scripting] is mostly pointless — if you find pop-up ads annoying, you’ll probably find this annoying, but there’s no overt security or usability issue. It’s just the Chronicle’s lame attempt* to make sure it’s credited as the source of whatever. And, to their credit, it’s not as lame as, say, the AP’s idiotic practice of actively issuing DMCA takedown requests and lawsuits. It is, like anything dyed-in-the-wool San Franciscan, passive aggressive.”

If you want to protect yourself from this type of tracking, West recommends disabling Javascript from your browser.

*It’s worth noting that this is West’s speculation — we emailed SFGate in July to ask them about the thinking behind this practice, and never received a response.

Think of “Ask the Appeal” as your own personal genie: no Bay-related question is too big or too small. Whether you’re concerned with a municipal question, a consumer advocacy issue or simply with consuming alcohol, email us your questions at ask@sfappeal.com. We’ll either do the dirty work and talk to the folks in charge, contact an expert in the field, or – if your question is particularly intriguing or juicy -develop it into a full-blown investigative article.

Please make sure your comment adheres to our comment policy. If it doesn't, it may be deleted. Repeat violations may cause us to revoke your commenting privileges. No one wants that!
  • variable455

    I suppose there could be an XSS vulnerability, but all it does is provide a full link when someone cuts/pastes a portion of an article.. it’s not hard to delete if you want.

    go to NYT.com, highlight a word and wait for the ‘?’ to appear. automatic search. pretty neat little .js.

    sfgate’s using .js to drive hits – marketing is evil, but the only local paper left needs revenue..

    i don’t mind it.

  • variable455

    I suppose there could be an XSS vulnerability, but all it does is provide a full link when someone cuts/pastes a portion of an article.. it’s not hard to delete if you want.

    go to NYT.com, highlight a word and wait for the ‘?’ to appear. automatic search. pretty neat little .js.

    sfgate’s using .js to drive hits – marketing is evil, but the only local paper left needs revenue..

    i don’t mind it.

  • Derek-Tynt

    Hello all, I thought I would add my 2 cents worth to the conversation. I work with Tynt, the company that provides the script that the Gate uses to do this. We’ve been beta testing this solution on many sites around the world, the Gate being one of them.

    We are focused on trying to help content publishers benefit when people copy their content (as opposed to the AP approach) by driving more traffic back to the original article, and making sure that articles are properly attributed.

    In the Beta cycle, most people have been very supportive, but we’ve had a few react like the author of this article, so for that we are building into the product the opportunity to set a cookie in your browser so you won’t get the attribution on the gate. It isn’t fully implemented yet, but if you email support [at] tynt.com we can send you the link to turn off attribution on SFGate.

    We are also open to all suggestions on improvement, so please send them over!

    Derek

  • Derek-Tynt

    Hello all, I thought I would add my 2 cents worth to the conversation. I work with Tynt, the company that provides the script that the Gate uses to do this. We’ve been beta testing this solution on many sites around the world, the Gate being one of them.

    We are focused on trying to help content publishers benefit when people copy their content (as opposed to the AP approach) by driving more traffic back to the original article, and making sure that articles are properly attributed.

    In the Beta cycle, most people have been very supportive, but we’ve had a few react like the author of this article, so for that we are building into the product the opportunity to set a cookie in your browser so you won’t get the attribution on the gate. It isn’t fully implemented yet, but if you email support [at] tynt.com we can send you the link to turn off attribution on SFGate.

    We are also open to all suggestions on improvement, so please send them over!

    Derek

  • Alex Zepeda

    Ugh, count me as another one who finds the Gate’s javascript obnoxious. Unexpectedly taking control of a user’s computer is generally considered poor form. Much like companies using Facebook’s beacon should have made that service opt in (I’m looking at you Yelp), we shouldn’t have to beg permission to prevent SFGate/Tynt from hijacking our browsers. The entire premise of Tynt is offensive to me.

    What Mr. West missed was that Tynt can easily accumulate data on what your SFGate browsing habits. Some might find that intrusive (I certainly wouldn’t want to make public the articles I’ve clipped or highlighted from a dead tree newspaper), some might not. Some might trust Tynt to do only noble things with the data they’re collecting on you, some might not.

    Disabling javascript globally is an excellent security measure, but you are stuck with lots of sites that force you to enable javascript because their web devs are lazy. If you don’t read the SFGate comments, disabling Javascript is the way to go. Unfortunately their comments (for some unknown reason) require Javascript, so if you want to read them you’ve gotta put up with their pop under ads and clipboard hijacking.

    As for disabling Tynt, it’s easy. You don’t even need to beg permission from their support staff. With Firefox, just install a plugin that lets you filter the content (such as noscript). Add the domain tynt.com to your block list. Specifically, SFGate is using:

    http://tcr.tynt.com/javascripts/Tracer.js?user=ad1_AICmWr3PaXab7jrHtB&s=60

    So you could block tcr.tynt.com if you wanted to view the tynt site, but not be stalked.

  • Alex Zepeda

    Ugh, count me as another one who finds the Gate’s javascript obnoxious. Unexpectedly taking control of a user’s computer is generally considered poor form. Much like companies using Facebook’s beacon should have made that service opt in (I’m looking at you Yelp), we shouldn’t have to beg permission to prevent SFGate/Tynt from hijacking our browsers. The entire premise of Tynt is offensive to me.

    What Mr. West missed was that Tynt can easily accumulate data on what your SFGate browsing habits. Some might find that intrusive (I certainly wouldn’t want to make public the articles I’ve clipped or highlighted from a dead tree newspaper), some might not. Some might trust Tynt to do only noble things with the data they’re collecting on you, some might not.

    Disabling javascript globally is an excellent security measure, but you are stuck with lots of sites that force you to enable javascript because their web devs are lazy. If you don’t read the SFGate comments, disabling Javascript is the way to go. Unfortunately their comments (for some unknown reason) require Javascript, so if you want to read them you’ve gotta put up with their pop under ads and clipboard hijacking.

    As for disabling Tynt, it’s easy. You don’t even need to beg permission from their support staff. With Firefox, just install a plugin that lets you filter the content (such as noscript). Add the domain tynt.com to your block list. Specifically, SFGate is using:

    http://tcr.tynt.com/javascripts/Tracer.js?user=ad1_AICmWr3PaXab7jrHtB&s=60

    So you could block tcr.tynt.com if you wanted to view the tynt site, but not be stalked.

  • Erik

    Seems pretty reasonable to me. Anyone who cares that much about having to delete the extra line is probably also the type who knows exactly how to block or disable the script in their browser. The NYT thing that pops something when you highlight is far more annoying.

  • Erik

    Seems pretty reasonable to me. Anyone who cares that much about having to delete the extra line is probably also the type who knows exactly how to block or disable the script in their browser. The NYT thing that pops something when you highlight is far more annoying.

  • SF94122

    If they’re just appending the source URL, what’s the harm? Isn’t everyone is citing / linking back to the source anyway? The script actually saves me a step.

    I would understand if they completely blocked c/p… Actually, I wouldn’t, it’s their page and most people probably do not notice / care.

    Per privacy considerations, I don’t agree with any cookie / tracking that associated with the copy/paste (i.e., if they are keeping tabs on who is copying what). And, Always configure your browser to clear all private data, cookies, etc whenever you close the browser.

  • SF94122

    If they’re just appending the source URL, what’s the harm? Isn’t everyone is citing / linking back to the source anyway? The script actually saves me a step.

    I would understand if they completely blocked c/p… Actually, I wouldn’t, it’s their page and most people probably do not notice / care.

    Per privacy considerations, I don’t agree with any cookie / tracking that associated with the copy/paste (i.e., if they are keeping tabs on who is copying what). And, Always configure your browser to clear all private data, cookies, etc whenever you close the browser.

  • BiancaBaler

    Recycling is extremely important to save money, as well as the planet. A cardboard baler is a great way to do this.

  • BiancaBaler

    Recycling is extremely important to save money, as well as the planet. A cardboard baler is a great way to do this.

  • BiancaBaler

    Recycling is extremely important to save money, as well as the planet. A cardboard baler is a great way to do this.

  • BiancaBaler

    Recycling is extremely important to save money, as well as the planet. A cardboard baler is a great way to do this.