|
|
|
|
|
|
by ev1
1428 days ago
|
|
|
"enable it only on a per subdomain basis" works when the tracking runs off a separate subdomain. Walmart, for example, intentionally proxies the files through their primary domain, the one that you are visiting, to try and bypass this. -- Other sites and services will also use blocking them as a fingerprinting point. For example, it loads native first-party JS to try and bootstrap the rest of it. A really simplified example: Stage 1: on-page script tag, not a separate file, sets up a variable - let's call it "counter" Stage 2: Load cross-site-tracker.js from obvious-analytics.example.com. If it fails: Stage 3: Load QyojK8oIwLjske2JkW9mdJY0Np.js from hqMOBRLccCmEnG9.cloudfront.net; increment a "shady user is trying to hide from us" counter If it fails: Stage 4: Load RandomWordsRainbowButterfly.js from N4NqCUJAT9UUXFcwnn.cloudfront.net; increment a "shady user is trying to hide from us" counter Keep trying this through 3-4 domains, use random s3 buckets, cloudfront hostnames, akamaized.net hostnames. Upload all tracking data as soon as one of them succeeds. |
|
|