[mrex]

Wow. I had no idea. This bullshit is why I browse with javascript off, and enable it only on a per subdomain basis with uMatrix, and disable all the tracking technologies I can. I probably already stick out like a sore thumb to anyone doing browser fingerprinting.

Not only did the kids fail to get off our lawn, look at this giant hunk of poop they left all over it. Eternal September never ends.

[ev1]

Well, good thing they reverse-proxy the javascript code first party directly on the domain (www.*), and attempt to load multiple subdomains on the primary domain one after another (including randomised CDN paths)

[JackGreyhat]

I'm trying to grasp what you are explaining here. Is this another fingerprinting method?

[ev1]

"enable it only on a per subdomain basis" works when the tracking runs off a separate subdomain. Walmart, for example, intentionally proxies the files through their primary domain, the one that you are visiting, to try and bypass this.

--

Other sites and services will also use blocking them as a fingerprinting point. For example, it loads native first-party JS to try and bootstrap the rest of it.

A really simplified example:

Stage 1: on-page script tag, not a separate file, sets up a variable - let's call it "counter"

Stage 2: Load cross-site-tracker.js from obvious-analytics.example.com.

If it fails:

Stage 3: Load QyojK8oIwLjske2JkW9mdJY0Np.js from hqMOBRLccCmEnG9.cloudfront.net; increment a "shady user is trying to hide from us" counter

If it fails:

Stage 4: Load RandomWordsRainbowButterfly.js from N4NqCUJAT9UUXFcwnn.cloudfront.net; increment a "shady user is trying to hide from us" counter

Keep trying this through 3-4 domains, use random s3 buckets, cloudfront hostnames, akamaized.net hostnames. Upload all tracking data as soon as one of them succeeds.