GDPR: youtube-nocookie embedded URL's, need visitors' permission? - javascript

This is my first time posting on Stack Overflow and I have a question about the GDPR.
Hi there! (This is ment to be on top of the post, but for some reason it gets deleted when I save it)
Situation:
On my website I don't want to bother visitors with cookie notifications, so the goal is to only place necessary cookies. However, there will be embedded YouTube video's on the website, which usually places tracking cookies.
After some research I stumpled upon the youtube-nocookie.com domain, which I am using now. Without using that domain, an embedded video url will be:
https://www.youtube.com/embed/7cjVj1ZyzyE
With using it, it is:
https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE
By using the latter, cookies will only be placed after playing the video, and no tracking cookies will be placed (according to Google: https://support.google.com/youtube/answer/171780?hl=en under 'Turn on privacy-enhanced mode'). However, there will still be placed some cookies, and it is not clear for me if visitors will need to give permission for those, and if so, under what category (and maybe they are still tracking?).
Image of the cookies:
Image of cookies youtube-nocookies.com places
This is in Chrome. The cookies from the gstatic domain are placed on page-load for some reason. That doesn't happen in Opera.
Another weird thing is that FireFox (with allowing all cookies and trackers) and Edge don't seem to place any of the 6 cookies from the image at all.
Many sites and blogs say that this is the way to embed YouTube video's, but I can't seem to find a clear answer to the question if you still need visitors' permission for these cookies. Also on many sites where I only accept necessary cookies, I still have the possibility to view YouTube video's and the corresponding cookies will be happily placed without my consent.
Has anybody delt with this before?
Thanks in advance!

After some more research I think I found a clear answer. From a report of Cookiebot:
“Privacy-Enhanced Mode” currently
stores an identifier named “yt-remote-device-id”
in the web browser’s “Local Storage”. This
allows tracking to continue regardless of
whether users click, watch, or in any other way
interact with a video – contrary to Google’s
claims. Rather than disabling tracking, “privacyenhanced mode” seems to cover it up.
Source: https://www.cookiebot.com/media/1136/cookiebot-report-2019-ad-tech-surveillance-2.pdf
The 'yt-remote-device-id' indentifier, along with some other ones, are, even with the use of the youtube-nocookie.com domain (or 'Privacy Enhanced Mode'), still being placed on page load (given that the iframe with the set source is already part of the DOM at this point of course).
So while no tracking 'cookies' cookies are placed, the tracking has moved to the browsers localStorage (I overlooked this before), which basically means visitors actually do need to give permission before embedded YouTube video's with Privacy Enhanced Mode enabled should be loaded on the page.
Update
Gave some nuance in response to Marc Hjorth's comment.

i can confirm that the localStorage entry effectively replaces the funktion of the cookie. it is persistent and makes you identifiable across browser sessions. i get the same "yt-remote-device-id" value each time after restarts. only erasing the local storage makes a difference.

Related

Iframes security tips and scripts

I am trying to launch a website for myself which people might be using in future. Currently I am allowing users to post iframes for YouTube and Google Maps etc. Copy entire 'iframe' from Google Maps or YouTube and paste it in post box just to keep it simple.
Later I am storing it in MySQL database. I am displaying this post on some page. I am little worried since though I have asked user to paste only YouTube or Maps iframes, a devil mind might put src of malicious code.
What are all the possible ways to prevent this?
I think there are multiple risks, some that come to mind are:
Cross-site scripting. There are too many ways to achieve this if you allow the full <iframe> tag to be displayed as entered. This is probably the main risk, and the showstopper. It would be really hard to prevent XSS if you just write the full iframe tag (as entered by an attacker) into subsequent pages. If you really want to do this, you should look into HTML sanitization like Google Caja or HTMLPurifier or similar, but it is a can of worms that you better avoid if possible.
Information leak to malicious website. This very much depends on the browser (and the exact version of such browser), but some information (like for example teh window size, etc.) does leak to the website in an iframe, even if it's from a different origin.
Information / control leak from malicious website. Even worse than the previous, the embedded website would have some control over the window, for example it can redirect it (again, I think it depends on the browser though, I'm not quite sure), or can change the url hash fragment. Also if postMessage is used, the iframe can send messages to your application, which can be exploited if your application is not properly secured (not necessarily right now, but at any time in the future, like 5 years from now, after much development).
Arbitrary text injection, possibly leading to social engineering. Say an adversary includes a frame that says something like "You are the winner of this month's super-prize! Call 1-800-ATTACKER to provide your details and get your reward!"... You get the idea. The message would look like a legitimate one from your website, when it's not.
So you'd better not allow people to enter full tags as copied from Google Maps or anywhere else. There appears to be a finite set of things you want to allow (like for example Youtube videos and Google Maps links are only two), for which you should have customized controls. The user would only enter the video id/slug (the part after ?v=...), or would paste the full link, from which you would take the id, and you would make the actual tag for your page on the server side. The same for Google Maps, if the user navigates to wherever he wants in a Maps window and pastes the url, you can make your own iframe I think, because everything is in the url in Google Maps.
So in short, you should not allow people entering tags. XSS can be mitigated by sanitizers, but other risks listed above cannot.

Setting cookies in an epub3 for IBooks

Does the IBooks reader allow setting and reading cookies?
Basically what I need is that the status of one page (the user clicking on some elements) gets stored and used in the next page.
I have been experimenting and so far I could not get it to work, thus I wonder whether cookies are supported at all.
I found my own answer. I was able to store cookies inside an epub3 eBook using the js-cookie library. Unfortunately the cookie is only visible for the current page and is not useful to share information between pages (which in epub3 are different html5 documents).

Use another website from an HTML file running locally

I am trying to load another website from a webpage I am running locally. While it does load, I can not seem to reference anything inside. I keep getting
Blocked a frame with origin "null" from accessing a frame with origin "http://theWebsiteImAccessingWithTheIFrame.com". The frame requesting access has a protocol of "file", the frame being accessed has a protocol of "http". Protocols must match.
I get that this is a security feature, but there must be a way to reference the stuff inside if it is loading it anyway, no?
Any help is greatly appreciated!
Edit:
I have created a map of the office I work in, using SVGs, with everyone's information(office location, their photo, extension, etc). We also just got a bunch of IP Phones that are managed and hosted by LightPath. On the webpage they have, it lets us manage our phones and even make them call others(using javascript but I have no idea how since their code is insanely complex).
My plan was that if a user clicked on someone's office, they could then have a button that would ask them to enter their number and pin to log in(how it works on the lightpath website), it would connect their 2 phones. I intended to use their number and pin to log in for them, and have the call connect that way, by just controlling the forms on lightpath's site, while it was in an iframe. This way, they wouldn't see Lightpath's site's clutter(because I could hide the iframe), and it would just get done. Essentially, it would happen as if they had gone to the website themselves and done it that way, except in a much more approachable format, and with less distractions.
LightPath does offer a "call me" feature which creates a dedicated button for calling a specific person, but it creates a token for them, and only that person has the ability to create it, not to mention I would have to enter each persons' unique token into the site, and run the risk of it failing should their extension get changed, or they leave the company. So I was hoping for something a little more dynamic.
This is a security feature from the browsers.
You can't access iFrames which are not from the same origin.
So the file has to be local.
They have to be on the same server. In chrome you aren't allowed to access any other file in the file:// protocol.
So to access remote files you may want to look into other ways of accessing it.
But either way, you need — at least in Google Chrome — to be on the http:// protocol.

Get title and URL of last 5 websites in history

I'm looking to include a small window that shows the last 5 pages they visited on a my site.
Primarily I'd like it to show the title of the page and the URL so I can link them to it. It would be great if I can filter these to a word or website since I'd like to be for my site only.
Would JavaScript be good for this and does it work cross browsers?
You can only look 1 page back which is document.referrer but I am not sure how to get the title.
If you are monitoring your own site you can use localStorage to store the last 5 pages but if you want to monitor other sites then no you cant do it in Javascript that will be a privacy concern if you can do it.
localStorage is HTML5 but its already supported by major browsers.
If you are doing server-side scripting it should be fairly simple to keep a record of what page they have visited on your website. It could be done with Javascript and cookies, but it does not necessarily have to be done that way.

Read Chrome browsing history within extension

How can I check if a certain link is found in Chrome's browsing history(on the computer that accesses the link) using JavaScript or jQuery? I am interested (if any) in the functions that I have to use. Also how can I get the date and time of the accessed link?
Retrieving the users history from javascript launched from a web page is impossible due to obvious blatant security issues.
Retrieving the users history from javascript running in an extension is possible, but doing so requires elevated permissions that the user has to grant after being warned. In summary you are probably looking for the chrome.history.getVisits() function. You can find more information on how to access the history using chrome.history here and the resulting security warnings given to the user here.
Nonono! That cannot happen. Unless you make a plugin, but I still doubt it.
This might be off topic but you might be interested in google analytics.
this chrome extension allow you to use browser address bar to search keywords, which will automatically search against your browser history and give you suggestion
Chrome webstore - history as bookmark
This is just not possible with Chrome because of security. What you would have to do is use cookies and add to the cookie each page the user is on along with the time visited.
Problem with this it will only track a user on your site not others. Cookies are only suppose to hold small amounts of info not long tracks of what page your user has been on. Also a user can disable cookies...
Another way is maybe doing this serverside and tracking the users IP through your pages and keep a list of what pages your user is visiting.

Categories