Firefox: how to enable the built-in tracking protection

Just read an article on BBC News that starts of with the AdBlock Plus team winning another case in a German court (yeay) and ended with a report on how Firefox also has built-in tracking protection which -for now- is off by default and is somewhat hidden. To enable it, just open about:config and set privacy.trackingprotection.enabled to true. I disabled Ghostery for now, let’s see how how things go from here.

Firefox preferences for greater privacy

Although browser addons such as NoScript and Ghostery (which is cross-browser with some limitations) provide great protection against tracking, some people prefer not to have to install plugins. Firefox does have configuration options to somewhat limit what trackers can do. You can follow the knowledge base article here to learn how to disable 3rd party cookies (the default setting in Safari, which Google was caught circumventing).
If you’re up to it, you also simply open up the almighty “about:config” and tinker with the following settings (some of which aren’t available in the browser UI):

  • network.cookie.cookieBehavior with values:
    • “0”: allow all cookies (default)
    • “1”: don’t allow 3rd party cookies
    • “2”: don’t allow any cookies
  • network.cookie.thirdparty.lifetimePolicy with values:
    • “0”: keep cookies for as long as the server asks
    • “1”: ask the user on each and every cookie set (try it out if only for fun, you’d be surprise how much cookies are set)
    • “2”: cookie gets deleted when you close your browser (i.e. at the end of the session)
    • “3”: cookies have a lifetime as defined in the “network.cookie.lifetime.days ” preference
  • network.cookie.thirdparty.sessionOnly: set to “true” or “false”
  • privacy.donottrackheader.enabled: set to “false” (default) or “true”, which gently asks sites not to track you

Setting “network.cookie.thirdparty.sessionOnly” to “true” is a low-impact change which should stop tracking-companies (think Media6degrees or Quantcast) from following you around the web.
If you want to stop Facebook, Google & Co to stop tracking you around the web as well, the above setting will not suffice. You should either log out of their sites as soon as you’ve done your business there or set “network.cookie.cookieBehavior” to “1” (which will break their “social widgets”). Or you can install Ghostery or NoScript, off course.

AddToAny now includes Lockerz tracking

Update 02-2015: things change, blogposts get out of date and indeed A2A is not owned by Lockerz any more.
AddToAny, one of the most popular sharing-widgets around, has had 3rd party tracking by Media6degrees for quite some time already. I wasn’t too happy about that, but it did have the no_3p option to disable this “functionality”. Half a year ago however AddToAny was acquired by Lockerz.com and it now includes tracking by Lockerz.com which cannot be turned off and does not check for navigator.doNotTrack either.
I’ve contacted the developer (Pat’s a swell guy, really) and he answered he would look into honoring the DoNotTrack header, which he wrote he’d love to include in Q1 somewhere. In the mean time, if you have AddToAny on your site, you can already hide the Lockerz “Earn” tab. And if you’re on WordPress, you could install (or upgrade) WP DoNotTrack, which I’ve updated to stop the Lockerz tracking (make sure lockerz.com is your blacklist).
If there’s a Drupalista out there that uses AddToAny and would like to stop Lockerz tracking; I’d be happy to co-author a Drupal DoNotTrack module, do get in touch!

Some 2011 numbers and 2012 goals

  1. This blog:
  2. WP YouTube Lyte, my WordPress plugin to do “lazy load YouTube embedding”, really took off:
    • 8 minor and 3 major releases (from 0.6.5 to 0.9.4), introducing support for features such as audio-only YouTube, embedding playlists, changing player size on the fly and translations in 6 languages (thanks to those six great contributors).
    • 48260 downloads
    • Main goal for 2012: stabilize and reach the magic 1.0.0 (which will probably include an optimized initialization-mechanism)
  3. My WP DoNotTrack plugin is somewhat … younger:
    • 2 releases
    • 336 downloads
    • Goals for 2012:
      • stop more types of tracking (a.o. by including black- or whitelist filtering of the HTML using the output buffer)
      • improve filtering
      • integrate (and possibly automate) tracking-detection using the webpagetest.org API
      • promote the idea of “DoNotTrack” in general and for WordPress and WP plugins & themes in particular (the plugin is just a means, not an end in itself)

But enough with all the navel-gazing, thanks for b(e)aring with me & have a great 2012 guys & girls!

Iframe sandboxing support coming soonish

Did you know you can limit the damage an iframe can do by adding the “sandbox” attribute? And that you can add a value to that attribute to loosen your grip if you choose to do so?
I remember reading about this a couple of years ago or so, but forgot as  support for this html5 spec was limited to Chrome (Apple added support in Safari as well). But while investigating a problem a WP DoNotTrack-user was facing, I re-discovered iframe sandboxing (it effectively stopped the javascript-based tracking inside the iframe) and noticed that support for it is to be included in Internet Explorer 10 and that Mozilla is finally working on an implementation as well.
So yeah, the option to sandbox iframe’s pointing to blacklisted (or non-whitelisted) hostnames will probably be in a future version of WP DoNotTrack. Stay tuned!

Configure WP DoNotTrack to block what you want

I pushed out a major new version of WP DoNotTrack to the WordPress plugin repository and major in this case means:

  • you can now choose between a blacklist and whitelist-approach (previous version did blacklisting only)
  • define what exactly is in that black- or whitelist (previous version came with a hardcoded blacklist)
  • option to block javascript-initiated tracking code from being added for all your visitors, or just those that explicitly opted out of tracking in their browser (supported in MS IE9 and Firefox 9, not supported in Google Chrome)
  • and off course an option-page under wp-admin to change all these settings

Because of these new features (4 of them) and because I think the plugin is already at least 50% mature, I decided to bump the version from 0.1.0 to 0.5.0. Never been good at math anyway …
If you encounter any problems when installing or configuring this plugin, you might find valuable info in the FAQ. But here’s two tips anyway:

  1. In general caching and js-aggregating plugins can interfere, so you might want to disable those while working on your WP DoNotTrack configuration and re-enable (with cleared caches) once you’re satisfied with the result.
  2. If you’re running WP YouTube Lyte with the bonus “donottrack” feature activated, you’ll want to deactivate that before installing/ activating WP DoNotTrack. If you don’t do that, you’ll have to turn to the FAQ …

Don’t hesitate to contact me or leave a comment beneath this here little blogpost if you run into problems, if have a feature request or if you just want to chat a little. I just love receiving feedback!

It’s official: you can not track your visitors

After almost a year of tinkering with my Donottrack-plugin for WordPress, I’ve requested it to be hosted in the WordPress repositories and uploaded version 0.1.0. So if you’re using Donottrack on your blog, or if you activated this “bonus feature” of WP YouTube Lyte, I propose you give WP DoNotTrack a try and let me know what gives here in the comments or via the contact form?
From the readme:

WP DoNotTrack stops plugins and themes from adding 3rd party tracking code to your blog to protect your visitor’s privacy. WP DoNotTrack uses (a slightly modified) version of jQuery AOP to catch and inspect elements that are about to be added to the DOM and renders these harmless if the black- or whitelist says so.
The current version is blacklist-based and stops tracking by media6degrees and quantserve. This can easily be changed in the javascript though. Future versions will include a WordPress admin-page to change these settings.

Applying Javascript AOP-magic to stop 3rd party tracking in WordPress

It was always my intention to elaborate on my small donottrack plugin for WordPress, but it was only when Automattic upgraded to the new asynchronous Quantcast code that I was forced to look actually dig in.
The new Quantcast-code doesn’t use the old-fashioned document.write, but inserts the javascript asynchronously with an insertBefore on the parent of the first script-node (as popularized by the asynchronous Google Analytics-code). Variations on this method would include e.g. using appendChild or adding it to head (although that might not exist).
A couple of months ago I experimented with the DomNodeInserted event, but that isn’t supported by all browsers. And even when it works, I found no consistent way to stop the tracking script (which was already added to the DOM, as the event is triggered after) from being loaded or executed. But last week while searching for a better solution I found a reference to javascript AOP on StackOverflow and after following some links I discovered the JQuery AOP-plugin.
JQuery AOP allows one to (amongst other things) add an advice around a method. When the method is called, the advice kicks in before the execution. The advice is a function which can investigate and change the parameters used by the method. And that’s exactly what the current version of DoNotTrack does; it has AOP.around (I’ve removed the JQuery dependency) catch insertBefore and appendChild, investigates the src-attribute and replaces that value if it points to quantserve.com before allowing the method execution to proceed.

scriptParent=document.getElementsByTagName('script')[0].parentNode;
aop.around( {target: scriptParent, method: /[insertBefore|appendChild]/},
        function(invocation) {
                if ((typeof(invocation.arguments[0].src)==='string')&&((invocation.arguments[0].tagName.toLowerCase()==='script')||(invocation.arguments[0].tagName.toLowerCase()==='img'))) {
                        if (sanitizer(invocation.arguments[0].src)===true){
                             invocation.arguments[0].src='javascript:return false;';
                        }
                }
                return invocation.proceed();
        }
);

I’m working on a more generic version of an AOP-based WordPress Privacy plugin now. In a first stage it will probably be based on a blacklist, that is editable in the WP Privacy options-screen but at a later date a whitelist-based approach will be added (based on an integration with webpagetest.org). Let’s add that to my New Years resolution for 2012, shall we?

WP YouTube Lyte 0.9.0: size matters

I uploaded a new version of WP YouTube Lyte to the WordPress SVN repository earlier today. The markdown parser seems to be in a bad mood today and the changes in the readme.txt (the changelog, first and foremost) aren’t visible, so here’s what’s new in this release:

  • you can now change player size from the default one (as proposed by Edward Owen); httpv://www.youtube.com/watch?v=_SQkWbRublY#stepSize=-2 or httpv://youtu.be/_SQkWbRublY#stepSize=+1 will change player size to one of the other available sizes in your choosen format (4:3 or 16:9)
  • added a smaller 16:9 size and re-arranged player sizes on the options-screen
  • Bugfix: changed lyte-div ID to force it to be xhtml-compliant (ID’s can’t start with a digit, hat tip: Ruben of ytuquelees.net
  • Bugfix: added version in js-call to avoid caching issues (lyte-min.js?ver=0.8.1) as experienced by some users and reported by Ryan of givemeshred.com
  • Upgrade to the “bonus feature” to fix things (consider this beta though)
  • Languages: added Hebrew (by Sagive SEO) and Catalan (by Ruben of ytuquelees.net) translations and added completed Spanish version (thanks to Paulino Brener from Social Media Travelers)
  • tested succesfully on WordPress 3.3 (beta 2)

The (slightly smaller) lyte-embedded YouTube video to go with this release: “She wants” by Metronomy (very Japan-esque by the way):

Metronomy - She Wants (Official Video)

As always, your feedback is welcome in the comments or via the contact form!

WP Privacy: Quantcast sneaks back in

After almost a year of peace and quiet, Quantcast tracking code has returned to this blog. As reported by Brian Yang, the stupid hack that stopped the code from being included doesn’t work any more. Automattic recently switched to the new Quantcast-code, which instead of using the old-fashioned document.write now gets inserted asynchronously by a DOM-method (insertBefore). I’m looking at ways to stop this from happening or at least limit it one way or the other, but for the time being there’s no fix. Bear with me and do speak up (in the comments below of via the contact form) if you think you can help!