Privacy and exclusions¶
Browser history can reveal private interests, accounts, health concerns, and internal services. The importer applies local exclusions before any URL is sent and records why each local exclusion matched.
What stays on the Mac¶
The importer never uploads:
- the Safari, Firefox, or Chromium SQLite database;
- a database WAL or shared-memory sidecar;
- cookies, saved passwords, form data, or browser session state; or
- downloaded page HTML or extracted page content.
To avoid reading a live browser database in place, the database and any
-wal/-shm files are copied into a temporary directory. The copy is opened
read-only and removed when the reader finishes.
The local state database stores URLs, Refindery page IDs, outcomes, errors, timestamps, status, profile watermarks, and exclusion reasons. Protect it as sensitive browsing data.
What Refindery receives¶
For an eligible URL, POST /v1/pages contains:
url;- the browser title, when available;
- a source such as
history-import:chrome; fetched_at, set to the most recent browser visit;- the local machine hostname;
- the primary browser and profile;
- combined visit count plus first and last visit timestamps; and
- a per-profile source list when the URL appeared in more than one profile.
The bearer token is sent in the HTTP Authorization header. Refindery then
fetches and extracts the page using its own network access and policies.
History is metadata
Even without page bodies, URLs, titles, profile names, timestamps, and the machine hostname can be sensitive. Review a dry run and exclusion settings before the first real import.
Always-on local exclusions¶
The following URLs never reach Refindery:
- schemes other than
httpandhttps; localhostand subdomains of.localhost;.localhostnames; and- loopback, private, and link-local IP addresses, including RFC 1918 ranges.
These checks cannot be disabled through configuration.
Sensitive categories¶
Four built-in categories match known domains and, for some categories, URL path keywords:
| Category | Default | Examples of coverage |
|---|---|---|
banking |
Enabled | Banks, brokerages, payment providers, and cryptocurrency exchanges. |
health |
Enabled | Insurers, pharmacies, care providers, and /mychart paths. |
auth_webmail |
Enabled | Login, OAuth, SSO, password/MFA paths, and major webmail hosts. |
adult |
Disabled | A maintained set of adult-content domains. |
Configure them explicitly in config.toml:
Category domain matching includes subdomains. Path keywords are case-insensitive literal substrings of the URL path. Category lists reduce accidental exposure; they are not exhaustive classifiers.
Custom domain rules¶
Add domains that should never be submitted:
example.com matches both the exact host and any subdomain. A leading *. is
accepted but normalized away, so the two forms have the same behavior.
Custom URL patterns¶
Use shell-style wildcard patterns against the complete URL:
Patterns use Python fnmatch semantics. Matching is case-sensitive against the
full URL string.
Evaluation order¶
Only the first match is recorded. Rules run in this order:
- URL scheme and parseability;
- local/private host detection;
- enabled sensitive categories;
- custom domains; and
- custom URL patterns.
Dry-run and end-of-run reports group skips by kind. Exact URLs, rule names, and
timestamps are available in the local skips table.
Local exclusions versus server blacklist¶
Local exclusions prevent a request from leaving the Mac. Refindery's blacklist
is enforced by the backend and can protect every ingest client. A server
blacklist match returns 403 and is recorded locally as a handled submission.
Use forget and blacklist commands when content has already reached Refindery. Removing a server blacklist rule allows future ingestion; it does not restore content that was purged.