elbywan/yett

Possible limitations

Gregoirevda opened this issue ยท 7 comments

Gregoirevda commented
  1. If another script tag has the async attribute, it will be downloaded in parallel and could be executed before the Yett script. The MutationObserver will be registered after the script and therefore not prevent its execution.
  2. In context of GDPR, the script should prevent communicating personal data cross-domain.
    Since all script's are downloaded (even if not executed), they still send all third-party cookies with the HTTP GET to download the script. Which lets the 3th party know which websites you visit.
elbywan commented

Hi @Gregoirevda,

If another script tag has the async attribute, it will be downloaded in parallel and could be executed before the Yett script. The MutationObserver will be registered after the script and therefore not prevent its execution.

Yett is supposed to be loaded in a blocking manner before other script tags are parsed. Attributes like async or defer should not matter in this case.

In context of GDPR, the script should prevent communicating personal data cross-domain.
Since all script's are downloaded (even if not executed), they still send all third-party cookies with the HTTP GET to download the script. Which lets the 3th party know which websites you visit.

I don't think that the CORS request contains cookies by default unless the tag has a crossorigin attribute.

The response can set cookies if it has a Set-Cookie header, unless you change the script tag type attribute manually which should prevent Chrome, Firefox (and Edge Chromium) from even downloading the script.

Gregoirevda commented

Yett is supposed to be loaded in a blocking manner before other script tags are parsed. Attributes like async or defer should not matter in this case.

You're right, this made it more clear to me:
https://stackoverflow.com/a/39711009

  1. Not linked to script execution, but script download:
    When this is downloaded, but not executed
<script src="https://my-blacklisted-domain.com/file.js"></script>

If https://my-blacklisted-domain.com/file.js has already set cookies previously, they will be sent to the server during file download, which cannot be prevented. I've made a demo I can share if you want.
The advertisement solution I've tested doesn't send that initial cookie, but I haven't tested others.

elbywan commented

If https://my-blacklisted-domain.com/file.js has already set cookies previously, they will be sent to the server during file download, which cannot be prevented. I've made a demo I can share if you want.

Can you try using the crossorigin attribute that I linked above? I just checked quickly and it seems to prevent the cookies to be sent.

<script src="https://my-blacklisted-domain.com/file.js" crossorigin="anonymous"></script>

To reproduce

  1. Browse unpkg.com and type in the browser console document.cookie = "toto=titi;".
  2. Browse the yett demo page (https://snipsco.github.io/yett/) and type in the console:
elt = document.createElement("script");
elt.src = "https://unpkg.com/yett@0.1.11/dist/yett.min.js";
document.head.appendChild(elt);

Notice that the cookies were sent:

Host: unpkg.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://snipsco.github.io/
Cookie: toto=titi
Pragma: no-cache
Cache-Control: no-cache
  1. Do the same and add the crossorigin attribute this time:
elt = document.createElement("script");
elt.src = "https://unpkg.com/yett@0.1.11/dist/yett.min.js";
elt.crossOrigin = "anonymous";
document.head.appendChild(elt);

Notice that the cookies are not sent anymore.

Host: unpkg.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Origin: https://snipsco.github.io
DNT: 1
Connection: keep-alive
Referer: https://snipsco.github.io/yett/
Pragma: no-cache
Cache-Control: no-cache
Gregoirevda commented

Agreed, crossorigin="anonymous" prevents the cookies to be send during file download.

Thank you for your quick replies!

  • ๐Ÿ‘1
pocketjoso commented

Could be worth documenting the crossorigin="anonymous" tip in the readme - wdyt @elbywan?

  • ๐Ÿ‘1
elbywan commented

@pocketjoso Yeah it could be useful, I'll add something ๐Ÿ‘.

  • ๐Ÿ‘2
Gregoirevda commented

Something else that might be good to mention is that
<link rel="preload" href="ads.com" as="script">

Will be loaded before all other script tags, but execution order is preserved. crossorigin="anonymous" also prevents sending cookies on link