what happens when allowing sites to run scripts from other domains?
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
-
- Hobby Astronomer
- Posts: 15
- Joined: 2020-03-29, 22:33
what happens when allowing sites to run scripts from other domains?
my question isn't really about finding the best way to do one thing or the other, but rather what's actually going on behind the scenes.
I block every site's javascript by default and decide whether or not to let them run their script(s) or allow access to other domains, eg googletagmanager.com, analytics.google.com and so on.
my concern is the site I visit knowingly or unknowingly feeding or allowing google access to my data such as in a form I fill out on the site (for auto parts search, signing up for something, etc.). if I understand at a simplified level, google makes various tools for sites to dynamically insert into their web site code so the site can do things that itself would never have the time or expertise to develop.
1. so when I allow the site to load/access eg googletagmanager.com, who besides google even has any idea what that kind of access is permitting? when I see ".com" I don't think of a single specific script or tool, it makes me think of a whole range of things one may or may not be aware of.
2. is it built into the googletagmanager tool that there's an option for google to access themselves, or the site to intentionally supply, what I enter into the site's forms? for example the site wants some of the info verified to not be bogus so the form data is instantaneously forwarded to google for that task?
3. who besides google could possibly know what else permitting access to any other of its ".com" script sites is allowing to happen? if a site I visit wants to load a supposedly 'harmless' google tool ".com", could the google domain permitted be able to activate some other kind of spying/tracking that the local site was unaware of? for example google making their own copies of all data entered into the site's forms because they used a tool loaded from a google site?
I block every site's javascript by default and decide whether or not to let them run their script(s) or allow access to other domains, eg googletagmanager.com, analytics.google.com and so on.
my concern is the site I visit knowingly or unknowingly feeding or allowing google access to my data such as in a form I fill out on the site (for auto parts search, signing up for something, etc.). if I understand at a simplified level, google makes various tools for sites to dynamically insert into their web site code so the site can do things that itself would never have the time or expertise to develop.
1. so when I allow the site to load/access eg googletagmanager.com, who besides google even has any idea what that kind of access is permitting? when I see ".com" I don't think of a single specific script or tool, it makes me think of a whole range of things one may or may not be aware of.
2. is it built into the googletagmanager tool that there's an option for google to access themselves, or the site to intentionally supply, what I enter into the site's forms? for example the site wants some of the info verified to not be bogus so the form data is instantaneously forwarded to google for that task?
3. who besides google could possibly know what else permitting access to any other of its ".com" script sites is allowing to happen? if a site I visit wants to load a supposedly 'harmless' google tool ".com", could the google domain permitted be able to activate some other kind of spying/tracking that the local site was unaware of? for example google making their own copies of all data entered into the site's forms because they used a tool loaded from a google site?
-
- Knows the dark side
- Posts: 4984
- Joined: 2015-12-09, 15:45
Re: what happens when allowing sites to run scripts from other domains?
You're overthinking this. Blocking all javascript these days will break most popular websites made within the last 10 years and you should just use a properly configured adblocker with popular filter list subscriptions and it will block whatever you don't need.
And finally, blanket blocking 3rd party content is pointless when every large website uses CDNs that are often separate domains instead of subdomains.
Domains owned by Google will obviously be visible to Google only, why would they share with anyone else? Their collected user data is the crown jewels - they offer targeted ads based on the data, not access to the data itself (to advertisers). And what has .com or any other TLD got to do with it? Dot com only indicates that the site in question is commercial, it doesn't mean they are automatically evil any more than .net or .org are automatically benign.tommy_2 wrote: ↑2023-11-22, 01:50so when I allow the site to load/access eg googletagmanager.com, who besides google even has any idea what that kind of access is permitting? when I see ".com" I don't think of a single specific script or tool, it makes me think of a whole range of things one may or may not be aware of
And finally, blanket blocking 3rd party content is pointless when every large website uses CDNs that are often separate domains instead of subdomains.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
-
- Lunatic
- Posts: 286
- Joined: 2018-05-26, 18:13
Re: what happens when allowing sites to run scripts from other domains?
I disagree with moonbat - his position may be appropriate for dummies, but the people who know more and care should be blocking scripts by default at the very least. I block everything!!! And unblock as needed.
You do not need to allow googletagmanager ever, anywhere. I've never come across a site that failed to work with that blocked. It is blocked in the standard blocking lists (Easy List, etc.). I always try getting a site to work without any google connections at all (this won't work on youtube or other google owned sites). Those blocking lists have a lot of other obscure sites blocked too, so I recommend using at least Easy List. I also use Easy Privacy and the native lists for uBlock Origin. I use both uBlock Origin and eMatrix; eMatrix is too advanced for some people (or they think so), but I can't stand the web without it. eMatrix replaced NoScript and another old extension that blocked 3rd party connections. You should at least use uBlock Origin at a minimum.
You do not need to allow googletagmanager ever, anywhere. I've never come across a site that failed to work with that blocked. It is blocked in the standard blocking lists (Easy List, etc.). I always try getting a site to work without any google connections at all (this won't work on youtube or other google owned sites). Those blocking lists have a lot of other obscure sites blocked too, so I recommend using at least Easy List. I also use Easy Privacy and the native lists for uBlock Origin. I use both uBlock Origin and eMatrix; eMatrix is too advanced for some people (or they think so), but I can't stand the web without it. eMatrix replaced NoScript and another old extension that blocked 3rd party connections. You should at least use uBlock Origin at a minimum.
Win10home(1709), PM33.1.0-portable as of Apr 23, '24
-
- Pale Moon guru
- Posts: 35651
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: what happens when allowing sites to run scripts from other domains?
I know more and I care (and I'm not exactly a dummy) but if you have average browsing activity then starting off with everything blocked and manually unblocking on each and every site you go to is simply unfeasible (and actually pointless in a lot of cases).
Your own approach also seems to align with Moonbat's actually, as you're apparently using standard block lists that only target known bad trackers and undesirable domains, so... are you really disagreeing then?
Also, another point to keep in mind is that "other domains" are very often run by the website owners themselves but are using a separate domain for content delivery (static content, media, etc.) that is still first-party and blocking anything of that will break the site.
I think you can strike "popular" from that sentence
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Hobby Astronomer
- Posts: 15
- Joined: 2020-03-29, 22:33
Re: what happens when allowing sites to run scripts from other domains?
thanks Michaell.
all: I've been using the web almost from the start and internet before that. my browsing is the way I want it. most of my web use is text-based/text-heavy sites like this forum so the fact I block everything is not nearly as cumbersome as some imagine it must be.
but that's all beside the point, this is what my post is about:
for that reason I posted in a forum where I know lots of ppl have the technical expertise with the subject matter of what I'm trying to find out. thanks.
all: I've been using the web almost from the start and internet before that. my browsing is the way I want it. most of my web use is text-based/text-heavy sites like this forum so the fact I block everything is not nearly as cumbersome as some imagine it must be.
but that's all beside the point, this is what my post is about:
I'm not a programmer or follow programmer search results very well so it has been difficult sifting through the chaff of scores of internet searches.my question isn't really about finding the best way to do one thing or the other, but rather what's actually going on behind the scenes.
for that reason I posted in a forum where I know lots of ppl have the technical expertise with the subject matter of what I'm trying to find out. thanks.
-
- Pale Moon guru
- Posts: 35651
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: what happens when allowing sites to run scripts from other domains?
Maybe you can ask a specific question that can be answered in that case? What do you consider "behind the scenes"? What are you wanting to know, exactly?
In broad strokes, "what happens" in general is simply that the browser makes a request to the other domains and gets the script from there (if allowed by the website's content security policy if present). The actual networking requests are the same whether you are looking at a first party or third party.
Basically, you make a first request, which downloads a web page document. If that document contains URLs for scripts and other media to be loaded from another domain (HTML src/etc. attribute or via a javascript request), a new connection will be made to that other domain to fetch that script or media in the exact same fashion as if you're directly putting it into the address bar.
In broad strokes, "what happens" in general is simply that the browser makes a request to the other domains and gets the script from there (if allowed by the website's content security policy if present). The actual networking requests are the same whether you are looking at a first party or third party.
Basically, you make a first request, which downloads a web page document. If that document contains URLs for scripts and other media to be loaded from another domain (HTML src/etc. attribute or via a javascript request), a new connection will be made to that other domain to fetch that script or media in the exact same fashion as if you're directly putting it into the address bar.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Hobby Astronomer
- Posts: 15
- Joined: 2020-03-29, 22:33
Re: what happens when allowing sites to run scripts from other domains?
sorry I couldn't follow up sooner but I'd still like to be clear on how this works:
1. with what you say about 1st/3rd-party access, what mechanically happens then, once the initial non-google site's form can be typed into? is the g*-supplied/activated form essentially 'running' from a g* domain? so when I'm typing info into the form boxes it's being done on a google machine which can record everything I enter (because it's a g* form or form that won't function until g* can run javascript)?
2. is there anything in a browser or pale moon specifically that recognizes and prevents entered user info from being sent anywhere other than the original site visited, whether or not the visited site requires allowing other domains to use javascript?
I realize hardware/software info will be transmitted so I'm asking about something I would type or paste in.
eg in the case of ajax.googleapis.com, gstatic.com, *google.com and so on, if they/3rd-parties are more or less surreptitiously activating additional scripts for purposes of copying/getting entered info meant only for the original site, would pale moon's ordinary functioning block something like that? or pale moon/any browser serves up whatever a javascript domain asks for?
the situation I'm wondering about is voluntarily entering personal info (name, addr, ph, etc.) into a non-google site I intentionally visit, and either the non-google site's form doesn't respond/accept info or after entering the info I can't get to the site's next web page without first allowing google domains to use javascript.
1. with what you say about 1st/3rd-party access, what mechanically happens then, once the initial non-google site's form can be typed into? is the g*-supplied/activated form essentially 'running' from a g* domain? so when I'm typing info into the form boxes it's being done on a google machine which can record everything I enter (because it's a g* form or form that won't function until g* can run javascript)?
2. is there anything in a browser or pale moon specifically that recognizes and prevents entered user info from being sent anywhere other than the original site visited, whether or not the visited site requires allowing other domains to use javascript?
I realize hardware/software info will be transmitted so I'm asking about something I would type or paste in.
eg in the case of ajax.googleapis.com, gstatic.com, *google.com and so on, if they/3rd-parties are more or less surreptitiously activating additional scripts for purposes of copying/getting entered info meant only for the original site, would pale moon's ordinary functioning block something like that? or pale moon/any browser serves up whatever a javascript domain asks for?
-
- Lunatic
- Posts: 286
- Joined: 2018-05-26, 18:13
Re: what happens when allowing sites to run scripts from other domains?
My response will be different than what Moonchild and others here will likely say, so it's up to you what value you assign to it.
Win10home(1709), PM33.1.0-portable as of Apr 23, '24
-
- Hobby Astronomer
- Posts: 15
- Joined: 2020-03-29, 22:33
Re: what happens when allowing sites to run scripts from other domains?
thanks again Michaell for another helpful reply.
I realize there isn't much I could do about the original site intentionally giving my info to another party, my concern is mostly when the original site is unaware that domains their site asks me to allow to run javascript are now (what I wonder) able to monitor what happens between us.
either because 3rd-party scripts do indeed have(?) the capability to see what's going on, or (my other question) because I'm filling out (part of) their form on a now-allowed 3rd-party domain's machine.
I realize there isn't much I could do about the original site intentionally giving my info to another party, my concern is mostly when the original site is unaware that domains their site asks me to allow to run javascript are now (what I wonder) able to monitor what happens between us.
either because 3rd-party scripts do indeed have(?) the capability to see what's going on, or (my other question) because I'm filling out (part of) their form on a now-allowed 3rd-party domain's machine.
-
- Pale Moon guru
- Posts: 35651
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: what happens when allowing sites to run scripts from other domains?
This is entirely under the control of the website owner, i.e. this never happens when the original site is unaware of it. In addition, if injected scripts are a concern, then this is what https and CSP are for as security mechanisms (as that would be classified as cross-site scripting, i.e. XSS). The original website owner is therefore under full control what external/3rd party scripts are called from their website. The onus is on them to make sure those 3rd parties are trusted.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite