what happens when allowing sites to run scripts from other domains?

[tommy_2]

my question isn't really about finding the best way to do one thing or the other, but rather what's actually going on behind the scenes.

I block every site's javascript by default and decide whether or not to let them run their script(s) or allow access to other domains, eg googletagmanager.com, analytics.google.com and so on.

my concern is the site I visit knowingly or unknowingly feeding or allowing google access to my data such as in a form I fill out on the site (for auto parts search, signing up for something, etc.). if I understand at a simplified level, google makes various tools for sites to dynamically insert into their web site code so the site can do things that itself would never have the time or expertise to develop.

1. so when I allow the site to load/access eg googletagmanager.com, who besides google even has any idea what that kind of access is permitting? when I see ".com" I don't think of a single specific script or tool, it makes me think of a whole range of things one may or may not be aware of.

2. is it built into the googletagmanager tool that there's an option for google to access themselves, or the site to intentionally supply, what I enter into the site's forms? for example the site wants some of the info verified to not be bogus so the form data is instantaneously forwarded to google for that task?

3. who besides google could possibly know what else permitting access to any other of its ".com" script sites is allowing to happen? if a site I visit wants to load a supposedly 'harmless' google tool ".com", could the google domain permitted be able to activate some other kind of spying/tracking that the local site was unaware of? for example google making their own copies of all data entered into the site's forms because they used a tool loaded from a google site?

[moonbat]

You're overthinking this. Blocking all javascript these days will break most popular websites made within the last 10 years and you should just use a properly configured adblocker with popular filter list subscriptions and it will block whatever you don't need.

so when I allow the site to load/access eg googletagmanager.com, who besides google even has any idea what that kind of access is permitting? when I see ".com" I don't think of a single specific script or tool, it makes me think of a whole range of things one may or may not be aware of

Domains owned by Google will obviously be visible to Google only, why would they share with anyone else? Their collected user data is the crown jewels - they offer targeted ads based on the data, not access to the data itself (to advertisers). And what has .com or any other TLD got to do with it? Dot com only indicates that the site in question is commercial, it doesn't mean they are automatically evil any more than .net or .org are automatically benign.
And finally, blanket blocking 3rd party content is pointless when every large website uses CDNs that are often separate domains instead of subdomains.

[Michaell]

I disagree with moonbat - his position may be appropriate for dummies, but the people who know more and care should be blocking scripts by default at the very least. I block everything!!! And unblock as needed.

You do not need to allow googletagmanager ever, anywhere. I've never come across a site that failed to work with that blocked. It is blocked in the standard blocking lists (Easy List, etc.). I always try getting a site to work without any google connections at all (this won't work on youtube or other google owned sites). Those blocking lists have a lot of other obscure sites blocked too, so I recommend using at least Easy List. I also use Easy Privacy and the native lists for uBlock Origin. I use both uBlock Origin and eMatrix; eMatrix is too advanced for some people (or they think so), but I can't stand the web without it. eMatrix replaced NoScript and another old extension that blocked 3rd party connections. You should at least use uBlock Origin at a minimum.

[Moonchild]

his position may be appropriate for dummies, but the people who know more and care should be blocking scripts by default at the very least. I block everything!!! And unblock as needed.

I know more and I care (and I'm not exactly a dummy) but if you have average browsing activity then starting off with everything blocked and manually unblocking on each and every site you go to is simply unfeasible (and actually pointless in a lot of cases).
Your own approach also seems to align with Moonbat's actually, as you're apparently using standard block lists that only target known bad trackers and undesirable domains, so... are you really disagreeing then?
Also, another point to keep in mind is that "other domains" are very often run by the website owners themselves but are using a separate domain for content delivery (static content, media, etc.) that is still first-party and blocking anything of that will break the site.

Blocking all javascript these days will break most popular websites made within the last 10 years

I think you can strike "popular" from that sentence

[tommy_2]

thanks Michaell.

all: I've been using the web almost from the start and internet before that. my browsing is the way I want it. most of my web use is text-based/text-heavy sites like this forum so the fact I block everything is not nearly as cumbersome as some imagine it must be.

but that's all beside the point, this is what my post is about:

my question isn't really about finding the best way to do one thing or the other, but rather what's actually going on behind the scenes.

I'm not a programmer or follow programmer search results very well so it has been difficult sifting through the chaff of scores of internet searches.

for that reason I posted in a forum where I know lots of ppl have the technical expertise with the subject matter of what I'm trying to find out. thanks.

[Moonchild]

Maybe you can ask a specific question that can be answered in that case? What do you consider "behind the scenes"? What are you wanting to know, exactly?

In broad strokes, "what happens" in general is simply that the browser makes a request to the other domains and gets the script from there (if allowed by the website's content security policy if present). The actual networking requests are the same whether you are looking at a first party or third party.
Basically, you make a first request, which downloads a web page document. If that document contains URLs for scripts and other media to be loaded from another domain (HTML src/etc. attribute or via a javascript request), a new connection will be made to that other domain to fetch that script or media in the exact same fashion as if you're directly putting it into the address bar.

[tommy_2]

sorry I couldn't follow up sooner but I'd still like to be clear on how this works:

the browser makes a request to the other domains and gets the script from there...networking requests are the same whether you are looking at a first party or third party.

the situation I'm wondering about is voluntarily entering personal info (name, addr, ph, etc.) into a non-google site I intentionally visit, and either the non-google site's form doesn't respond/accept info or after entering the info I can't get to the site's next web page without first allowing google domains to use javascript.

1. with what you say about 1st/3rd-party access, what mechanically happens then, once the initial non-google site's form can be typed into? is the g*-supplied/activated form essentially 'running' from a g* domain? so when I'm typing info into the form boxes it's being done on a google machine which can record everything I enter (because it's a g* form or form that won't function until g* can run javascript)?

2. is there anything in a browser or pale moon specifically that recognizes and prevents entered user info from being sent anywhere other than the original site visited, whether or not the visited site requires allowing other domains to use javascript?

I realize hardware/software info will be transmitted so I'm asking about something I would type or paste in.

eg in the case of ajax.googleapis.com, gstatic.com, *google.com and so on, if they/3rd-parties are more or less surreptitiously activating additional scripts for purposes of copying/getting entered info meant only for the original site, would pale moon's ordinary functioning block something like that? or pale moon/any browser serves up whatever a javascript domain asks for?

[Michaell]

My response will be different than what Moonchild and others here will likely say, so it's up to you what value you assign to it.

the situation I'm wondering about is voluntarily entering personal info (name, addr, ph, etc.) into a non-google site I intentionally visit, and either the non-google site's form doesn't respond/accept info or after entering the info I can't get to the site's next web page without first allowing google domains to use javascript.

The best assumption is that anything you enter can be sent to any other site the original site's page loads connections to. And even worse perhaps, once submitted the data can and likely is shared by the origial site with anyone they choose in ways that can't be tracked by the user. It's a matter of trust. The same is true if you use the phone to call a business; the person answering types in the data on her computer which has no bloxking of google at all. The only way to keep your info private is not to give it out. We all end up giving out private data at times, but it's up to you to limit it to the minimum necessary. It goes way beyond just what's happening in your browser because everything is done on networked computers now.

1. with what you say about 1st/3rd-party access, what mechanically happens then, once the initial non-google site's form can be typed into? is the g*-supplied/activated form essentially 'running' from a g* domain? so when I'm typing info into the form boxes it's being done on a google machine which can record everything I enter (because it's a g* form or form that won't function until g* can run javascript)?

It depends on the site. Forms used to be part of the HTML standardized code. Now mostly everything is done with scripts, and those can do a lot more than what the old forms could. Even with old forms the info could be emailed to an undisclosed address. The only way to know for sure what scripts are doing is to examine every line of code and/or use network packet monitoring programs to see what is being sent where.

You keep asking mostly about google, and if you are concerned enough about privacy to ask, you should not trust any google owned domain or resource. As an example, I wanted to find out who the candidates were in my state's primary and if there were any early voting polling places near me. The state government run site would not let users get that data without entering name, address, birth date and last 4 of SSN. And then even after doing that, you still were blocked unless you allow google connections (recaptcha type stuff). Even the "I'm not a robot" checkbox that the the lady I spoke to about it tried to convince was all that was there that checkbox is from google. Most website owners will tell you their site is not connecting to google because it isn't visible on the page. In reality, they have no clue!

2. is there anything in a browser or pale moon specifically that recognizes and prevents entered user info from being sent anywhere other than the original site visited, whether or not the visited site requires allowing other domains to use javascript?

The party line had been that it's the browser's job to request and send info not to block it. So, there isn't much site specific blocking built into the browser if you don't use extensions. There are some things that can be blocked under site permissions, but in general it's easier to do that with extensions. There are some settings in about:config (too many to cover) that you can change to minimize exposure but they are not enough by themselves. Besides or in addition to blocking extensions, there is the user.js approach. There are examples available on the internet (the one formerly known as ghacks and other spin offs), but it takes a lot of time to wade through all the settings. I'm not sure if anyone is maintaining a version specific to PM. The PM banned extension that blocks javascript has a couple of functions that help do some of what you're looking for but then you lose official support for PM with that installed.

eg in the case of ajax.googleapis.com, gstatic.com, *google.com and so on, ...

CDN extensions like Decentraleyes can help some with some of those sites by loading a locally saved copy of the resource. They don't change the code, they just don't fetch it from google or other supported sites each time.

[tommy_2]

thanks again Michaell for another helpful reply.

I realize there isn't much I could do about the original site intentionally giving my info to another party, my concern is mostly when the original site is unaware that domains their site asks me to allow to run javascript are now (what I wonder) able to monitor what happens between us.

either because 3rd-party scripts do indeed have(?) the capability to see what's going on, or (my other question) because I'm filling out (part of) their form on a now-allowed 3rd-party domain's machine.

[Moonchild]

my concern is mostly when the original site is unaware that domains their site asks me to allow to run javascript are now (what I wonder) able to monitor what happens between us.

This is entirely under the control of the website owner, i.e. this never happens when the original site is unaware of it. In addition, if injected scripts are a concern, then this is what https and CSP are for as security mechanisms (as that would be classified as cross-site scripting, i.e. XSS). The original website owner is therefore under full control what external/3rd party scripts are called from their website. The onus is on them to make sure those 3rd parties are trusted.