Tag Archives: donottrack

Applying Javascript AOP-magic to stop 3rd party tracking in WordPress

It was always my intention to elaborate on my small donottrack plugin for WordPress, but it was only when Automattic upgraded to the new asynchronous Quantcast code that I was forced to look actually dig in.

The new Quantcast-code doesn’t use the old-fashioned document.write, but inserts the javascript asynchronously with an insertBefore on the parent of the first script-node (as popularized by the asynchronous Google Analytics-code). Variations on this method would include e.g. using appendChild or adding it to head (although that might not exist).

A couple of months ago I experimented with the DomNodeInserted event, but that isn’t supported by all browsers. And even when it works, I found no consistent way to stop the tracking script (which was already added to the DOM, as the event is triggered after) from being loaded or executed. But last week while searching for a better solution I found a reference to javascript AOP on StackOverflow and after following some links I discovered the JQuery AOP-plugin.

JQuery AOP allows one to (amongst other things) add an advice around a method. When the method is called, the advice kicks in before the execution. The advice is a function which can investigate and change the parameters used by the method. And that’s exactly what the current version of DoNotTrack does; it has AOP.around (I’ve removed the JQuery dependency) catch insertBefore and appendChild, investigates the src-attribute and replaces that value if it points to quantserve.com before allowing the method execution to proceed.


aop.around( {target: scriptParent, method: /[insertBefore|appendChild]/},
        function(invocation) {
                if ((typeof(invocation.arguments[0].src)==='string')&&((invocation.arguments[0].tagName.toLowerCase()==='script')||(invocation.arguments[0].tagName.toLowerCase()==='img'))) {
                        if (sanitizer(invocation.arguments[0].src)===true){
                             invocation.arguments[0].src='javascript:return false;';
                return invocation.proceed();

I’m working on a more generic version of an AOP-based WordPress Privacy plugin now. In a first stage it will probably be based on a blacklist, that is editable in the WP Privacy options-screen but at a later date a whitelist-based approach will be added (based on an integration with webpagetest.org). Let’s add that to my New Years resolution for 2012, shall we?

WP YouTube Lyte 0.9.0: size matters

I uploaded a new version of WP YouTube Lyte to the WordPress SVN repository earlier today. The markdown parser seems to be in a bad mood today and the changes in the readme.txt (the changelog, first and foremost) aren’t visible, so here’s what’s new in this release:

  • you can now change player size from the default one (as proposed by Edward Owen); httpv://www.youtube.com/watch?v=_SQkWbRublY#stepSize=-2 or httpv://youtu.be/_SQkWbRublY#stepSize=+1 will change player size to one of the other available sizes in your choosen format (4:3 or 16:9)
  • added a smaller 16:9 size and re-arranged player sizes on the options-screen
  • Bugfix: changed lyte-div ID to force it to be xhtml-compliant (ID’s can’t start with a digit, hat tip: Ruben of ytuquelees.net
  • Bugfix: added version in js-call to avoid caching issues (lyte-min.js?ver=0.8.1) as experienced by some users and reported by Ryan of givemeshred.com
  • Upgrade to the “bonus feature” to fix things (consider this beta though)
  • Languages: added Hebrew (by Sagive SEO) and Catalan (by Ruben of ytuquelees.net) translations and added completed Spanish version (thanks to Paulino Brener from Social Media Travelers)
  • tested succesfully on WordPress 3.3 (beta 2)

The (slightly smaller) lyte-embedded YouTube video to go with this release: “She wants” by Metronomy (very Japan-esque by the way):

Metronomy - She Wants (Official Video)
Watch this video on YouTube.

As always, your feedback is welcome in the comments or via the contact form!

WP Privacy: Quantcast sneaks back in

After almost a year of peace and quiet, Quantcast tracking code has returned to this blog. As reported by Brian Yang, the stupid hack that stopped the code from being included doesn’t work any more. Automattic recently switched to the new Quantcast-code, which instead of using the old-fashioned document.write now gets inserted asynchronously by a DOM-method (insertBefore). I’m looking at ways to stop this from happening or at least limit it one way or the other, but for the time being there’s no fix. Bear with me and do speak up (in the comments below of via the contact form) if you think you can help!

Quercus PHP on GAE: pining for file handles

Quercus really is great stuff; it allows nitwits like me to develop crappy PHP-applications and to deploy them on Google’s App Engine. But when you combine the limitations of Quercus’ PHP implementation with those of GAE, you’re going to have to code around some problems you wouldn’t be facing when developing a “normal” PHP webapp.

One example based on my limited experience (while writing a scanner service to detect “foreign” objects in websites for my future wp-privacy plugin): I had a CSV-file that had to be downloaded & parsed. Normally you would fopen the remote file and than use fgetcsv retrieve all data line per line. Or, if you’d prefer, you could fetch the file with mighty CURL and parse it using str_getcsv. But those approaches don’t work when in Quercus on GAE; fopening remote files doesn’t work (blame GAE)  and while you can Curl the CSV into a variable, there’s no str_getcsv in Quercus (yet).

So I did what any self-respecting non-developer would do; I cried for help on StackOverflow. Some of the advice I got there involved obscure tricks like using data-uri’s, fopening php://memory or using SplTempFileObject, but none of those solutions produced anything but errors. So no built-in CSV-parsing for me, but (simple) “manual” parsing of the CSV in a string. Not a huge problem by any measure, but I’m sure there’s a whole lot more limitations, if only for all those functions that rely on file handles. But at least we’re having fun, no? ;-)

WP YouTu.be Lyte: a minor release & some meandering thoughts

Yesterday I pushed WP YouTube Lyte 0.7.3 out the gates. The main trigger for that new release was a bug report about the plugin not behaving as expected when using the youtu.be-links that you get when clicking the “share”-button on YouTube.  Being from that TLD mysself I could not but fix this; the new version recognizes and parses both httpv://youtube.com/watch?v=videoid and httpv://youtu.be/videoid links in posts, pages and widgets. Other features: Slovenian translation (thanks Mitja Mihelič @arnes.si) and a small change to the donottrack-inclusion to make it work over https (hat tip; Chris @ campino2k.de).

Speaking of donottrack: I’ve finally started rewriting that privacy-enhancing plugin. It might … No, it WILL take some time, but expect a whitelist-based approach where you’ll be able to get a report of all inclusions of external content (images, css, javascript, …) in your site and where you can just tick a checkbox per domain you want to allow. All other current and future domains that rogue plugins try to smuggle in after you configured, will be stopped. Next to document.write’s I hope to be able to catch innerHTML and DOM methods like insertBefore and appendChild. If you’re a javascript DOM magician, I could sure use your help on those!

Not sure where I’ll be going with WP YouTube Lyte, it feels pretty complete to me. Stuff that might be added at a later stage;

Do comment below or contact me if you have other feature requests though! And thanks for all the downloads (36.000 and counting)!!

And as is traditional of WP YouTube Lyte announcements, here’s a small video to celebrate the new release; Intergalactic Lovers, a Belgian band, playing “Delay” live.

Intergalactic Lovers - Delay - 23-05-2011
Watch this video on YouTube.

Why your WordPress blog needs DoNotTrack

So what’s with all that nagging about tracking and that DoNotTrack plugin, you might wonder? Well, it’s pretty simple actually.

  1. Some very popular WordPress plugins include 3rd party tracking, sometimes even without properly disclosing, often without means to disable this behavior
  2. 3rd party tracking has privacy implications: all your visitors are tracked by the 3rd party, in general for behavioral marketing purposes (depending on what data is captured, tracking might even be illegal in some countries)
  3. 3rd party tracking has a performance impact: every visit to your blog will include between 2 and 5 extra requests for the 3rd party tracking to succeed, effectively delaying full page rendering

It is my conviction that blog owners should be able to install and use WordPress plugins without having to worry about undisclosed tracking and that plugins should provide a way to disable such 3rd party tracking if included.

As this is not the case yet, we have to resort to (messy) solutions to stop unwanted tracking from happening. And that’s exactly what DoNotTrack does. It’s a small javascript-hack in a WordPress-plugin to stop 3rd party tracking introduced by some of the most popular plugins.

Some details from the readme.txt:

  • What works:
  • What does not work (yet): Tracking code added using innerHTML or appendChild/insertBefore is not yet intercepted (but I’m working a solution for that)
  • What else might be added:
  • How you can help:
    • Provide me with links to plugins that include browser-based tracking + domain where the tracking is done.
    • Provide me with known opt-out code (javascript) to disable tracking services on a site.
    • Tell plugin writers you’re not happy with 3rd party tracking!
    • Tell your visitors about tracking & privacy, link to e.g. http://www.privacychoice.org/

And remember: if you host your WordPress blog yourself, you and nobody else should be able to decide who tracks your users!

Quantcast spyware puts selfhosted WordPress blogs in Automattic network

A quick update about the WordPress.com Stats plugin secretive inclusion of Quantcast tracking: