Generating a (non-UDID) identifier in JavaScript to identify iOS devices uniquely - javascript

As Mobile Safari does not have access to the iOS device's UDID, I'm looking for a way to generate a different (but still unique) identifier for iOS devices using JavaScript only.
A broader question would be:
"What system information does JavaScript on Mobile Safari have access to that could be used to generate a unique identifier?"
This would need to be information not requiring user permissions (i.e. alerts) to access.
The use-case for this is tracking conversions from CPC publishers where advertisers are limited to providing a URL as the landing page for the ad, and the publisher does not append the UDID to the URL.

More to the point, third-party cookies (which is what the op is implying he needs to set) are disabled by default on mobile Safari. The short answer here is there's no easy way to do this, unless you resort to the kind of trickery Google engaged in - the workaround involves a loophole whereby a third-party cookie was allowed to be set with a form submission. Google created an invisible form and submitted it, all via JavaScript and thus was able to set a cookie.
There are companies claiming to be able to do "device fingerprinting" with high accuracy. Blue Cava is one getting a bunch of press, but a Google search will turn up others. If this feature is important enough to pay money for, I'd suggest checking them out.

Related

GDPR: youtube-nocookie embedded URL's, need visitors' permission?

This is my first time posting on Stack Overflow and I have a question about the GDPR.
Hi there! (This is ment to be on top of the post, but for some reason it gets deleted when I save it)
Situation:
On my website I don't want to bother visitors with cookie notifications, so the goal is to only place necessary cookies. However, there will be embedded YouTube video's on the website, which usually places tracking cookies.
After some research I stumpled upon the youtube-nocookie.com domain, which I am using now. Without using that domain, an embedded video url will be:
https://www.youtube.com/embed/7cjVj1ZyzyE
With using it, it is:
https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE
By using the latter, cookies will only be placed after playing the video, and no tracking cookies will be placed (according to Google: https://support.google.com/youtube/answer/171780?hl=en under 'Turn on privacy-enhanced mode'). However, there will still be placed some cookies, and it is not clear for me if visitors will need to give permission for those, and if so, under what category (and maybe they are still tracking?).
Image of the cookies:
Image of cookies youtube-nocookies.com places
This is in Chrome. The cookies from the gstatic domain are placed on page-load for some reason. That doesn't happen in Opera.
Another weird thing is that FireFox (with allowing all cookies and trackers) and Edge don't seem to place any of the 6 cookies from the image at all.
Many sites and blogs say that this is the way to embed YouTube video's, but I can't seem to find a clear answer to the question if you still need visitors' permission for these cookies. Also on many sites where I only accept necessary cookies, I still have the possibility to view YouTube video's and the corresponding cookies will be happily placed without my consent.
Has anybody delt with this before?
Thanks in advance!
After some more research I think I found a clear answer. From a report of Cookiebot:
“Privacy-Enhanced Mode” currently
stores an identifier named “yt-remote-device-id”
in the web browser’s “Local Storage”. This
allows tracking to continue regardless of
whether users click, watch, or in any other way
interact with a video – contrary to Google’s
claims. Rather than disabling tracking, “privacyenhanced mode” seems to cover it up.
Source: https://www.cookiebot.com/media/1136/cookiebot-report-2019-ad-tech-surveillance-2.pdf
The 'yt-remote-device-id' indentifier, along with some other ones, are, even with the use of the youtube-nocookie.com domain (or 'Privacy Enhanced Mode'), still being placed on page load (given that the iframe with the set source is already part of the DOM at this point of course).
So while no tracking 'cookies' cookies are placed, the tracking has moved to the browsers localStorage (I overlooked this before), which basically means visitors actually do need to give permission before embedded YouTube video's with Privacy Enhanced Mode enabled should be loaded on the page.
Update
Gave some nuance in response to Marc Hjorth's comment.
i can confirm that the localStorage entry effectively replaces the funktion of the cookie. it is persistent and makes you identifiable across browser sessions. i get the same "yt-remote-device-id" value each time after restarts. only erasing the local storage makes a difference.

Google analytics 'not set' value as browser version?

Similar question here, but my case is different.
I have added google analytics script to my project(angular4) and I am getting all information except for browser information.
I can see 'not set' value as some of the browsers and I found that there some tips to remove it, but that seems like we need to add some filter to exclude these data.
Is there any solution to print actual information instead of 'not set' value.
Thanks in advance.'
(not set) means just that the information was not set. So Google analytics can not tell you what browser it was.
Possible cause and fix
When you visit a webpage, the page detects what is called a user agent. The user agent has information related to what device you are using as well as which browser and browser version. If you see (not set), it is likely accounting for a very small percentage of your traffic. Google had libraries to identify user agents so when it does not match, (not set) will show up.
This could indicate crawlers and bots, especially if you see a bounce rate and new sessions percentage near 100% and an average session duration of less than a second.
Fix: Make sure the option to exclude hits from known bots and spiders is checked in your View Settings.
Read more about not set here

Iframes security tips and scripts

I am trying to launch a website for myself which people might be using in future. Currently I am allowing users to post iframes for YouTube and Google Maps etc. Copy entire 'iframe' from Google Maps or YouTube and paste it in post box just to keep it simple.
Later I am storing it in MySQL database. I am displaying this post on some page. I am little worried since though I have asked user to paste only YouTube or Maps iframes, a devil mind might put src of malicious code.
What are all the possible ways to prevent this?
I think there are multiple risks, some that come to mind are:
Cross-site scripting. There are too many ways to achieve this if you allow the full <iframe> tag to be displayed as entered. This is probably the main risk, and the showstopper. It would be really hard to prevent XSS if you just write the full iframe tag (as entered by an attacker) into subsequent pages. If you really want to do this, you should look into HTML sanitization like Google Caja or HTMLPurifier or similar, but it is a can of worms that you better avoid if possible.
Information leak to malicious website. This very much depends on the browser (and the exact version of such browser), but some information (like for example teh window size, etc.) does leak to the website in an iframe, even if it's from a different origin.
Information / control leak from malicious website. Even worse than the previous, the embedded website would have some control over the window, for example it can redirect it (again, I think it depends on the browser though, I'm not quite sure), or can change the url hash fragment. Also if postMessage is used, the iframe can send messages to your application, which can be exploited if your application is not properly secured (not necessarily right now, but at any time in the future, like 5 years from now, after much development).
Arbitrary text injection, possibly leading to social engineering. Say an adversary includes a frame that says something like "You are the winner of this month's super-prize! Call 1-800-ATTACKER to provide your details and get your reward!"... You get the idea. The message would look like a legitimate one from your website, when it's not.
So you'd better not allow people to enter full tags as copied from Google Maps or anywhere else. There appears to be a finite set of things you want to allow (like for example Youtube videos and Google Maps links are only two), for which you should have customized controls. The user would only enter the video id/slug (the part after ?v=...), or would paste the full link, from which you would take the id, and you would make the actual tag for your page on the server side. The same for Google Maps, if the user navigates to wherever he wants in a Maps window and pastes the url, you can make your own iframe I think, because everything is in the url in Google Maps.
So in short, you should not allow people entering tags. XSS can be mitigated by sanitizers, but other risks listed above cannot.

How to retrieve IDFA/AdID for use in dc_rdid attribute using PHP or JS?

I'm trying to publish a client's ad to our site (an "HTML5 ad" presented in an iFrame; we are hosting the HTML). The ad instructions indicate:
The publisher needs to insert device IDs into dc_rdid to enable in-app
conversion tracking.
The value assigned to the dc_rdid attribute is supposed to be the "IDFA" on iOS and the AdID on Android (and no mention of what this value should be on desktop). I'm having a lot of trouble finding information about how to retrieve these values in PHP or Javascript (I only find mention for getting them in the iOS / Android API's).
I'm assuming this must be possible or they wouldn't be asking for these HTML tags to contain these values. If anyone can point me in the right direction for how the attribute should be completed using PHP or JS that would be great (for desktop devices as well, if possible).
(I have the same question about how to retrieve the user's "Limit Ad Tracking" setting for the "dc_lat" and the value for "tag_for_child_directed_treatment" attributes.) Thanks!
Basically IDFA and AdID is part of device information attributes. You can't get either IDFA or AdID from desktop apps as well as PHP. User can be disable or reset it at will, as like as user clear the browser cookies
If you work with javascript stuff, you can grab those two data using javascript stuff such as react, as below :
https://www.npmjs.com/package/#ptomasroos/react-native-idfa
https://www.npmjs.com/package/react-native-gaid

Read Chrome browsing history within extension

How can I check if a certain link is found in Chrome's browsing history(on the computer that accesses the link) using JavaScript or jQuery? I am interested (if any) in the functions that I have to use. Also how can I get the date and time of the accessed link?
Retrieving the users history from javascript launched from a web page is impossible due to obvious blatant security issues.
Retrieving the users history from javascript running in an extension is possible, but doing so requires elevated permissions that the user has to grant after being warned. In summary you are probably looking for the chrome.history.getVisits() function. You can find more information on how to access the history using chrome.history here and the resulting security warnings given to the user here.
Nonono! That cannot happen. Unless you make a plugin, but I still doubt it.
This might be off topic but you might be interested in google analytics.
this chrome extension allow you to use browser address bar to search keywords, which will automatically search against your browser history and give you suggestion
Chrome webstore - history as bookmark
This is just not possible with Chrome because of security. What you would have to do is use cookies and add to the cookie each page the user is on along with the time visited.
Problem with this it will only track a user on your site not others. Cookies are only suppose to hold small amounts of info not long tracks of what page your user has been on. Also a user can disable cookies...
Another way is maybe doing this serverside and tracking the users IP through your pages and keep a list of what pages your user is visiting.

Categories