Stop Allowing Google to use its "Backdoor" script loader

I use Dan Pollock's hosts file to block Google Analytics but they found a way around it. I've seen this on the Telegram website and now I'm seeing it on Bootstrap while helping with the Hugo dev:

https://www.reddit.com/r/privacy/comments/8clrzn/google_your_backdoor_to_the_internet/

The way this works is Google uses a backdoor script loader as explained above—it's base64 encoded—the specific script Bootstrap tried to load on my machine while working doing development was this one here: https://www.google.com/js/bg/4mrRnEPnWo81qWPG8_xcGP85HCscbg1O2YUrIewxQYY.js

This script loader relies on the fact many may have explicitly blocked google analytics and it uses the technique to get around the block in a most uncouth way. If you'd like a HAR file showing the requests I will reproduce this for you—if you can commit to an investigation and fix for this cross-domain JS script loader.

[Johann-S]

Hi @JHabdas,

I read what you linked to us, but I can't figure how it's related to Bootstrap source code 🤔

[patrickhlauke]

i'll take a stab in the dark and say this relates to getbootstrap.com's analytics snippet? (which you'd also get when viewing offline/locally built site/documentation when developing)

@patrickhlauke yep. it defeated my hosts file. i have more info on it which I can dig up but I haven't seen it in about 6 months (not a GA user personally—don't have a google account). again, if you need more research I can dig it up but the basics should be in the reddit link above.

Overall I feel this can be mitigated with a tracking opt-out, which probably should've been added last may along with a so called "cookie disclaimer".

Ref: freeCodeCamp/devdocs#971 badges/shields#3026

[bardiharborow]

We should disable GA for local docs, consider GDPR implications, and see what can be done to make GA well-behaved. Ideally we'd remove it in favour of server/CDN-side analytics but that's probably more mdo's call.

[Lausselloic]

or put a cookie-consent manager like https://github.com/AmauriC/tarteaucitron.js ?

[XhmikosR]

A cookie consent is doable although TBH they annoy me a lot.

@mdo: what do you prefer: opt-in or opt-out tracking?

[bardiharborow]

@JHabdas, I know you've deleted your account, but perhaps you'll see this. Blocking www.google-analytics.com by any means will disable GA tracking. I'm not sure what the Reddit thing is all about, but we load a JavaScript file from www.google-analytics.com and if this doesn't load then GA will never have a chance to boot up. Dan's host file includes a commented out rule for this, which I assume you have enabled. That should work.

@XhmikosR I also share a mutual disdain for cookie consent. While I understand there may be EU law implications, from a purely technical perspective and given the current state of the internet, the best option we have going forward is honoring Do Not Track. We should consider disabling GA on this switch:

navigator.doNotTrack === "1" || navigator.doNotTrack === "yes" || window.doNotTrack == "1" || navigator.msDoNotTrack == "1"

There's also Carbon Ads to consider.

[XhmikosR]

Yeah, I personally don't care about local. But maybe we should do something so that we are GDPR compliant. IIRC we just ignored it until now.

[coliff]

There a number of 'built-in' privacy features in Hugo we could take advantage of. I often add the following to my Hugo sites config.yml:

privacy:
  googleAnalytics:
    anonymizeIP: true
    respectDoNotTrack: true
    useSessionStorage: true
  twitter:
    enableDNT: true
  youtube:
    privacyEnhanced: true

The Google Analytics one will use session storage instead of cookies, won't track the last octet of the user's IP address and respect do not track.

You can read more about the options here: https://gohugo.io/about/hugo-and-gdpr/