Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible limitations #20

Closed
Gregoirevda opened this issue Mar 15, 2020 · 7 comments
Closed

Possible limitations #20

Gregoirevda opened this issue Mar 15, 2020 · 7 comments
Labels
question Further information is requested

Comments

@Gregoirevda
Copy link

  1. If another script tag has the async attribute, it will be downloaded in parallel and could be executed before the Yett script. The MutationObserver will be registered after the script and therefore not prevent its execution.
  2. In context of GDPR, the script should prevent communicating personal data cross-domain.
    Since all script's are downloaded (even if not executed), they still send all third-party cookies with the HTTP GET to download the script. Which lets the 3th party know which websites you visit.
@elbywan
Copy link
Owner

elbywan commented Mar 15, 2020
edited
Loading

Hi @Gregoirevda,

If another script tag has the async attribute, it will be downloaded in parallel and could be executed before the Yett script. The MutationObserver will be registered after the script and therefore not prevent its execution.

Yett is supposed to be loaded in a blocking manner before other script tags are parsed. Attributes like async or defer should not matter in this case.

In context of GDPR, the script should prevent communicating personal data cross-domain.
Since all script's are downloaded (even if not executed), they still send all third-party cookies with the HTTP GET to download the script. Which lets the 3th party know which websites you visit.

I don't think that the CORS request contains cookies by default unless the tag has a crossorigin attribute.

The response can set cookies if it has a Set-Cookie header, unless you change the script tag type attribute manually which should prevent Chrome, Firefox (and Edge Chromium) from even downloading the script.

@elbywan elbywan added the question Further information is requested label Mar 15, 2020
@Gregoirevda
Copy link
Author

Gregoirevda commented Mar 15, 2020
edited
Loading

Yett is supposed to be loaded in a blocking manner before other script tags are parsed. Attributes like async or defer should not matter in this case.

You're right, this made it more clear to me:
https://stackoverflow.com/a/39711009

  1. Not linked to script execution, but script download:
    When this is downloaded, but not executed
<script src="https://my-blacklisted-domain.com/file.js"></script>

If https://my-blacklisted-domain.com/file.js has already set cookies previously, they will be sent to the server during file download, which cannot be prevented. I've made a demo I can share if you want.
The advertisement solution I've tested doesn't send that initial cookie, but I haven't tested others.

@elbywan
Copy link
Owner

elbywan commented Mar 15, 2020
edited
Loading

If https://my-blacklisted-domain.com/file.js has already set cookies previously, they will be sent to the server during file download, which cannot be prevented. I've made a demo I can share if you want.

Can you try using the crossorigin attribute that I linked above? I just checked quickly and it seems to prevent the cookies to be sent.

<script src="https://my-blacklisted-domain.com/file.js" crossorigin="anonymous"></script>

To reproduce

  1. Browse unpkg.com and type in the browser console document.cookie = "toto=titi;".
  2. Browse the yett demo page (https://snipsco.github.io/yett/) and type in the console:
elt = document.createElement("script");
elt.src = "https://unpkg.com/yett@0.1.11/dist/yett.min.js";
document.head.appendChild(elt);

Notice that the cookies were sent:

Host: unpkg.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://snipsco.github.io/
Cookie: toto=titi
Pragma: no-cache
Cache-Control: no-cache
  1. Do the same and add the crossorigin attribute this time:
elt = document.createElement("script");
elt.src = "https://unpkg.com/yett@0.1.11/dist/yett.min.js";
elt.crossOrigin = "anonymous";
document.head.appendChild(elt);

Notice that the cookies are not sent anymore.

Host: unpkg.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Origin: https://snipsco.github.io
DNT: 1
Connection: keep-alive
Referer: https://snipsco.github.io/yett/
Pragma: no-cache
Cache-Control: no-cache

@Gregoirevda
Copy link
Author

Agreed, crossorigin="anonymous" prevents the cookies to be send during file download.

Thank you for your quick replies!

@pocketjoso
Copy link
Contributor

Could be worth documenting the crossorigin="anonymous" tip in the readme - wdyt @elbywan?

@elbywan
Copy link
Owner

elbywan commented Mar 15, 2020

@pocketjoso Yeah it could be useful, I'll add something 👍.

@Gregoirevda
Copy link
Author

Something else that might be good to mention is that
<link rel="preload" href="ads.com" as="script">

Will be loaded before all other script tags, but execution order is preserved. crossorigin="anonymous" also prevents sending cookies on link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elbywan @pocketjoso @Gregoirevda