Tell HN: Toptal's HTML minification API occasionally injects tracking JavaScript
Just a heads up for anyone using their API - about 1 in 5 requests will return with Cloudflare Insights tracking JS. It's not mentioned anywhere in the API documentation, Privacy Policy, or ToS.
Fairly certain this is the package they based their service on https://github.com/tdewolff/minify
Edit: Here's a tweet I posted with a screenshot of the code: https://twitter.com/cullend/status/1575243757624360960?s=20&t=JVhqXDJExBnrEVOXeFH4Jg
28 comments
[ 2.7 ms ] story [ 70.2 ms ] threadBut I agree with your point, this should have been mentioned in their ToS and/or Privacy Policy.
Now, are _you_ serving from Cloudflare and you're seeing this in production? Or is this coming from the output?
But to your main question - the resultant HTML is occurring after running a python script fully locally, no hosting, prod, dev server, or anything related to Cloudflare coming into play.
They provide a lot of this type of thing - rewriting HTML responses with optimizations "at the edge" instead of you doing it at your origin.
[1] https://developers.cloudflare.com/analytics/web-analytics/ge...
Feels like we've jumped the shark if you need to send un-minified stuff to another server to get minified, sort of defeating the point in the first place...
Seems insane anyone would even entertain the thought... it's trivially easy to minify whatever you want right within your app.
And now here's OP bagging on this company for not disclosing this in some ToS or whatever, even though OP is the one abusing a free, obviously not-serious service.
Most local minification packages I tried spit out garbage, so just went with their API. Took a few hours to get a proper package stood up (the one I mentioned above).
I'd generally just assume that if you're injecting tracking/ analytics into an output you'd tell folks. As they didn't mention it, thought I'd just alert folks. Not sure why you're so outraged I mentioned this is happening.
Flabbergasted this idea made it's way into a real app, and flabbergasted this post made it's way onto the front page of HN.
You went through great lengths here to make sure everyone knows a random for-funsies "API" from a random google result doesn't behave like you expected it, complete with the multi-tweet write-up and everything.
Looking at what Toptal does, it seems glaringly obvious this "API" was setup for interview coding questions - nothing more.
You've drug this company's name and reputation through the mud, right onto the front page of HN. All over a misunderstanding on your part, as we all now know (Cloudflare doing what Cloudflare does and all...), and a misconfiguration on the web admin's part (missing page rule apparently).
I'll leave it at that... but perhaps your post/thread should be updated to indicate this company is in fact not doing what you have accused them of.
1. Toptal uses Cloudflare for DNS
2. Toptal uses Cloudflare Insights, which automagically inserts the tracking snippet of `https://static.cloudflareinsights.com/beacon.min.js/\\*`
3. You send the request to Toptal and somewhere along the line, Cloudflare misinterprets the request and injects the tracking code
It's not anything nefarious by Toptal. It's not their minify script. It's a misconfigured page rule, or similar. It's a bug.
https://community.cloudflare.com/t/beacon-min-js-as-malware/...
https://developers.cloudflare.com/analytics/web-analytics/
The site owner needs to configure cloudflare correctly to add analytics on certain pages only otherwise cloudflare injects it by default.