| It looks like this is related to 'bot detection' services from http://www.whiteops.com/ , as White Ops is listed as the contact on tagsrvcs.com. The html served back includes a script tag having require(['http://static01.nyt.com/bi/js/tagx/tagx.js'], function () {
http://static01.nyt.com/bi/js/tagx/tagx.js
loads http://s.tagsrvcs.com/2/818492/analytics.js?<bunch of query params>
which defines an 'encryption key' that is later used to 'encrypt' POST parameters back to tagsrvcs, but looks a lot like a page load identifer, including using it to namespace 'postbacks' later on. tagsrvs.com/.../analytics.js
loads
http://s.tagsrvcs.com/2/4.10.0/loaded.js tagsrvcs.com/../loaded.js
'postsback' to urls like
http://s.tagsrvcs.com/2/4.10.0/818492/L0an5rrDUnnex1s8dQ4fGu...(Note the 'L0an5rr...' which is the same as the 'encryption key' returned before in the 'analytics.js' file) This collects some fun things like WebRTC addresses, scripts loaded on the page, and much much more, and sends them out as they become available or more events happen. If you'd like to investigate this information yourself, the best place to set a breakpoint is in 'loaded.js', inside the function 'e.prototype.emitAsCORSXHR' which is responsible for 'encrypting' the payload before transmission. |