For those of us living under a rock, what’s Gumroad?
An online ecommerce platform.
It’s similar to Etsy. Targets smaller creators, values individual-made goods, but focuses on digital content, like soundtracks, 3D assets, etc.
I remember reading about Gumroad it used to be mostly for NSFW art, but they did a Tumblr and banned it. Maybe this is related to the loss of revenue.
Edit: found the article
Taking 30% off of physical goods sounds criminal to me.
What a terrible platform, I knew they would get desperate after banning porn.
They banned porn?? I used to follow Gumroad’s founder on Twitter, he seemed like a good person.
Yep, there was a rush over at kemono party to try and archive gumroad stuff that artists sold there because it would be hidden/deleted.
These artists should switch platforms because the query string isn’t the only way they can track attribution. If they see people doing this they will just switch to something else if they don’t already use another method as well.
I’ll just skip the whole place
some of us have been ever since gumroad worked with st*netoss
Never heard of that platform before, is it US only?
I’m only familiar with Gumroad because a lot of artists use it to sell their VRChat avatars and 3D printing files. I wasn’t keen on the fact that a few items I went to buy weren’t actually still for sale and the only thing telling you this was after you attempted to make the purchase.
Lots of blender extensions are on gumroad, especially “pay what you want” ones.
No, it’s just one of many. I’ve purchased stuff from gum road before.
I’m sorry to disappoint, but this will most likely not work. As soon as you make such a request, a session is created, which is stored in the cookie. And if they are real big asses, they only use the IP address to correlate the user to a session.
In general I use this app before I share or follow any links:
But did you try in this case? Because it doesn’t seems to have a sanitizer handling gumroad, in fact the sanitizer list is quite limited.
Oh you’re right. I thought you could add your own. Either way they push updates regularly, I bet if someone asked for a specific one, or maybe asked to be able to add their own, they would do it.
deleted by creator
Are you sure a new tab is necessary? Simply removing the tracking data and hitting Enter should be enough.
Probably an abundance of caution. I’m pretty sure referrer headers wouldn’t be sent if you modified the URL and that’s the only concern I can think of.
*For a new tab that is. Cookies aren’t going to care about a new tab unless you open a private one first.
We need browser extensions to kill those tags automatically.
In general I use this app before I share or follow any links:
Thanks, I have that too I think. It’s great for sharing from my phone. On my laptop I have a python script that is a lot fancier that I’d like to rewrite as a browser extension someday.
For your desktop, you can use https://linkcleaner.app/
This the most tech illiterate take…
These are called query parameters. The standard part of the HTTP spec.
A huge part of the internet uses these simply as a way to instruct a page to display certain data or to display a particular view or layout of that data.
Calling for an extension to get rid of these it’s like calling for an extension to get rid of headers because websites use them to pass metadata in the same manner.
Edit: that was harsh my apologies.
There are in fact many extensions designed to suppress or rewrite headers, most notably cookies, but also proxy headers and other things like that. Stripping out privacy invading (or in this case revenue redirecting) query parameters is another thing that extensions can do, and there are various extensions for that too, including apparently ublock origin (UBO).
UBO is not able to rewrite urls completely (a deliberate decision to protect users from accidental or intentional security breaking rules appearing in rule lists) but there are other extensions that do that too, like changing www.reddit.com to old.reddit.com, or bypassing google redirects and link shorteners that snoop on user activity. The web is a predator-prey ecosystem (users are mostly prey) and it is necessary to respond to new hazards as they appear.
I use this filter in ublock to remove them: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt.
These things are very privacy invading, many of them have information that can identify the users. I don’t think douglasg14b knows what he is talking about. Yes they are query parameters, but they are used for many things such as advertisment for example or referrals, I think it is fine to remove query parameters that are not necessary.
https://www.ieee-security.org/TC/W2SP/2014/papers/privacy_query_strings.pdf
Sometimes the website sends sensitive data through query strings which is a common security issue.
https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
You were so, so much more polite than I would have been
Firefox I believe does. If you right click on a link, it says something like “copy link without tracking”. It should do away with queries in the URL, but I’m not completely sure.
https://www.trishtech.com/2024/10/how-to-disable-copy-link-without-site-tracking-in-firefox/
This is definitely what it’s supposed to do (and a great feature) but unfortunately it doesn’t work that well. Have tried this many times, especially with Amazon links, and it seems to be a bit inconsistent in its effectiveness.
If a platform gets traction and is good at removing them, then links will be more obfuscated to deal with it.
Good to know.
You probably also need to clear your cookies as well. I can’t really see this being done only via GET
Yeah, I cannot imagine any reason they wouldn’t use cookies to track this. The moment you arrive via an affiliate link they’re going to know that that’s how you got to the site for that session.
That’s not going to work for links sent by text or whatever.
How do you think that would work? Like the site with the affiliate link should drop a third party cookie for gumroad? That’s a pretty big requirement.
When you go to the website, it can save that cookie for the session, even if you later remove the parameter.
I don’t understand. Cookies and request method are two different things. You can set cookies on GET.
Oh nice, that is pretty new, but will have to see if it works on those gumroad links. I have an offline script (not a browser extension, I haven’t bothered figuring out how to write those) that edits urls to remove tracking and it’s quite a pain, since there are dozens of sites and tracking schemes it has to know about. Also, rather than creating a pasteable url, a suitable browser extension should just rewrite the link automatically before navitation when you click on it.
uBlock Origin filter or ClearURLs for example.
In the case of uBO, just search for “url” in the filter list and you should find it.
The URL tracking filter list is nice but it doesn’t seems to include anything related to gumroad domain or parameters.
https://filters.adtidy.org/extension/ublock/filters/17.txt
You need to add it yourself.
An uBlock Origin custom filtrer should do.
Hmm, I thought ublock origin could only block links, not rewrite them. Am I missing something? I just looked through the docs and only see block/allow/noop rules, and I remember reading something a while back about how the devs didn’t want to rewrite. I’d love to have a pointer to the docs about how to do this if I’m wrong. Thanks ;)
Added: https://old.reddit.com/r/uBlockOrigin/comments/b9tdky/rule_for_redirecting_urls_to_cleaner_ones/ points to some github issues related to this.
Use removeparam.
The URL tracking protection filter list uses this and is a nice list to enable.
Thanks! I saw the GH issue about that but didn’t figure out that it had been deployed.
For those of you with Apple devices, I’m pretty sure current versions of Mac OS and iOS remove tracking arguments from URLs when you use cut/copy/paste/share.
https://9to5mac.com/2023/06/08/ios-17-link-tracking-protection/
Also this only applies in private browsing mode, which people usually aren’t in
This is about removing tracking arguments that identify users, this is not the case here.
The example in your link even show it’s keeping campaign tracking arguments. So I’m pretty sure it would keep the one we are talking about here.
OK, I think the real solution is that I’m never using Gumroad again. Sad, as some really good dnd stuff was there
https://bsky.app/profile/stargazerbird.pmd.social/post/3ld4tz3hllc2u
Based of that, it sounds like it’s affect people who had opted into the boosted discovery since that was already a thing and that was 30%+. The simplified wording doesn’t help but I’m feeling this got way blown out of proportion. Humanity does that nowadays.
A dumb policy with perhaps an even dumber implementation. Basing profit sharing percentages off query parameters 🫨 ?
That’s how basically all affiliate links work.
This time it’s just the merchant getting more or less from the creator. vs doing the split with the linker and the merchant.
Also 10% is pretty low, normally merchants take like 30% cut by default so they have plenty to share.
The parameters are how you get to the store.
If the creator is driving the traffic, Gumroad takes 10%. If Gumroad is driving the traffic, they take a commission of 30%
I understand that. That approach is just really easy to manipulate.
Not any more than any other tracking method. They control it all.
If anything, the fact that they give you a method to alter how your purchase is tracked so you can still give the creator 90% when you get to them through their store is pro-creator.
The ability to alter the tracking is an exploit, not a feature. Don’t get me wrong, I’m glad it’s possible, but it seems more a result of a lazy implementation rather than a generous choice.
Not any more than any other tracking method.
This isn’t true. There are more opaque ways to track this like cookies, redirects (triggering an api call), and scripts. These could also be exploited depending on how they’re done, but it would be way less obvious than just changing the URI.
It just seems like they chose the simplest method, thus hampering the effectiveness of their greed.
All the solution you proposed have big tradeoffs. Most would require to run some code on the site where the URL is, which is often not an option. And they would not work if the link is shared between people. For a lot of cases the solution they used seems to be the best one.
I believe that this is only for links from their Discover view, which is same-origin.
Wait, you’re complaining that end users can change it?
Yes, there are ways the website could prevent that. I’m not sure why that goal serves any purpose, though. Defaults are going to get them the vast majority of the commissions they earn, and being simple and easy for users who really want to reward the creators more to do so is worth the negligible cost.
Getting commission on sales you make isn’t greed.
Enshittification seems damn inevitable these days.