Is it possible to read cookies of a visitor? - javascript

AdSense use javascript to catch the keywords of current page to display relevant ads. But I was recently noticed that it will show ads related to my browsing history too. It seems that the javascript code can read my cookie (in general I mean, e.g. list of domains visited) to display relevant ads.
Is it practically possible to read cookies of a visitor?

No, it isn't possible to do so directly due to the same origin policy. (If it were possible, then you could make a page that stole the session of anyone on any domain!)
However, many websites include code from ad providers (read Google) on their page -- so that Google knows that you have visited website X because website X allows Google code to run when someone visits it. When you later visit website Y and it asks Google to display some ads on its behalf, what happens is no mystery.
Google knows all.

Related

GDPR: youtube-nocookie embedded URL's, need visitors' permission?

This is my first time posting on Stack Overflow and I have a question about the GDPR.
Hi there! (This is ment to be on top of the post, but for some reason it gets deleted when I save it)
Situation:
On my website I don't want to bother visitors with cookie notifications, so the goal is to only place necessary cookies. However, there will be embedded YouTube video's on the website, which usually places tracking cookies.
After some research I stumpled upon the youtube-nocookie.com domain, which I am using now. Without using that domain, an embedded video url will be:
https://www.youtube.com/embed/7cjVj1ZyzyE
With using it, it is:
https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE
By using the latter, cookies will only be placed after playing the video, and no tracking cookies will be placed (according to Google: https://support.google.com/youtube/answer/171780?hl=en under 'Turn on privacy-enhanced mode'). However, there will still be placed some cookies, and it is not clear for me if visitors will need to give permission for those, and if so, under what category (and maybe they are still tracking?).
Image of the cookies:
Image of cookies youtube-nocookies.com places
This is in Chrome. The cookies from the gstatic domain are placed on page-load for some reason. That doesn't happen in Opera.
Another weird thing is that FireFox (with allowing all cookies and trackers) and Edge don't seem to place any of the 6 cookies from the image at all.
Many sites and blogs say that this is the way to embed YouTube video's, but I can't seem to find a clear answer to the question if you still need visitors' permission for these cookies. Also on many sites where I only accept necessary cookies, I still have the possibility to view YouTube video's and the corresponding cookies will be happily placed without my consent.
Has anybody delt with this before?
Thanks in advance!
After some more research I think I found a clear answer. From a report of Cookiebot:
“Privacy-Enhanced Mode” currently
stores an identifier named “yt-remote-device-id”
in the web browser’s “Local Storage”. This
allows tracking to continue regardless of
whether users click, watch, or in any other way
interact with a video – contrary to Google’s
claims. Rather than disabling tracking, “privacyenhanced mode” seems to cover it up.
Source: https://www.cookiebot.com/media/1136/cookiebot-report-2019-ad-tech-surveillance-2.pdf
The 'yt-remote-device-id' indentifier, along with some other ones, are, even with the use of the youtube-nocookie.com domain (or 'Privacy Enhanced Mode'), still being placed on page load (given that the iframe with the set source is already part of the DOM at this point of course).
So while no tracking 'cookies' cookies are placed, the tracking has moved to the browsers localStorage (I overlooked this before), which basically means visitors actually do need to give permission before embedded YouTube video's with Privacy Enhanced Mode enabled should be loaded on the page.
Update
Gave some nuance in response to Marc Hjorth's comment.
i can confirm that the localStorage entry effectively replaces the funktion of the cookie. it is persistent and makes you identifiable across browser sessions. i get the same "yt-remote-device-id" value each time after restarts. only erasing the local storage makes a difference.

Conflict with double google analytics

I have a website that only has a full window iframe to a page that already has google analytics, but not on my account(the page isn't mine either). I would like to track my website with Google Analytics and if I put the script in the head site it will say "Tracking not installed". IS there any way to make the browser ignore the google analytics from the iframe?
If the iframed GA account isn't yours then there is nothing you can do about it. However you can still implement your own analytics by simply doing what you were doing before and putting your own GA code on your pages. You will see that tracking not installed message because it normally takes at least 24 hours for the code to register. In the meantime if there is nothing else wrong with the implementation, you can check in your Real-time reports to see if your own simultaneous visits are recorded. If they are then you are good to go and just need to wait 24 hours for data to show up in your standard reports.
You cannot change the content of the iframe, it would violate the same origin policy. Are you sure you should be using an iframe at all? Either way you can easily add Google Analytics to your own site and track whatever you need with your own Google Analytics ID.
If your analytics code is in the iframe, Google will report that tracking isn't installed as they're checking the parent page, not the iframe. Tracking will still work, though. You should see stats come through normally.

Google Ads not showing when my site is inside an iFrame

I'm building a web application (a web site) which has a feature where you can embed it inside your own web site (using an iframe).
So, my app has Google Ads, and sometimes when the it is inside another site as embed (inside an iFrame) it doesn't show Ads, I mean, ads are being rendered, but sometimes that html from google is blank.
I'm concern about the Policy of GoogleAds and to not use iFrames to show ads, but I'm not using iframes to show them, my app is just inside another site as a feature.
My question is: can this be done?, or by that policy I won't be able to show ads on my embed feature?
EDIT 1
This is the content which Google is rendering (inside another iframe of another iframe):
<html>
<head>
</head>
<body style="background-color:transparent" marginwidth="0" marginheight="0">
</body>
</html>
and also, I getting an error on the console:
Blocked a frame with origin "http://googleads.g.doubleclick.net" from
accessing a frame with origin "http://example.com". Protocols,
domains, and ports must match.
where "example.com" is some site that is using my feature
EDIT 2
So, I step at the Network tab of the console, and watch what was calling. Does a GET
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-XXXX.... With 200 OK always, but sometimes it returns just the blank HTML (posted above) and sometimes the actual html with an AD.
One more thing I didn't tell, I'm using the Asynch new Beta method, not the Synch, so I'm thinking of try the Synch and see what happens.
You might try loading the page outside an IFRAME and run network capture on the traffic to/from Google. Explore the response headers - they might be using X-Frame-Options to prevent illicit click activity on ads. There's likely very little you can do about it aside from doing a server-side request and embedding the response HTML yourself. This will dramatically slow down your page loads and might violate your ad agreement.
EDIT:
After reading your follow-up testing, it sounds more like your site just doesn't meet the criteria of enough ad campaigns to serve ads with every request. I'd look at Google's FAQs or marketing information to find out how often ads are served or why you might not be getting ads on every request. Remember, the ads are for the benefit of the advertiser and they have good tools to make sure their ads are specifically targeted to the right audience to maximize their return. Your site just might not meet enough criteria to get many ads.
EDIT 2: A quick Google search turned up this FAQ for why Ads might not be showing. They seem geared to why ads don't show at all, not intermittent appearance.

How does Google Analytics In-Page Analytics work?

Google Analytics features an 'In-Page Analytics' view to show click-through rates and other information directly on your own website. I'm looking to build something similar that logs all clicks.
The problem is I'm not really sure how Google implement their In-Page Analytics views - they seem to use an iframe, or two, and have injected their own HTML and JavaScript onto other pages.
How would one go about doing such a thing - are iframes the best way to go? How would you avoid the same-origin security policies of Javascript if domainX is trying to manipulate the rendering of domainY?
This is a very interesting question. You're right, the same origin policy forbids injecting JS. But Google Analytics has an advantage: it already is in your site (the tracker code).
So here is how it works (as far as I can see):
When you open in-page analytics, you are first taken to https://www.google.com/analytics/reporting/iyp_launch
This page redirects to your site and adds a Google session to the url (like http://example.com/#gaso=THESESSION
The tracker now checks if the referrer is iyp_launch and gaso is set. If yes, it does not only load the tracker, but also injects the JS needed for requesting further data and rendering the overlays. This way, the JS is executed inside the frame (or window) and bypasses the same-origin policy.
Since Google Anaytics already tracks your visit (i.e. identifies you as the same user that viewed the previous page), it can from then on inject the additional JS along with the tracker until your visit is over (i.e. you close the page). This way, the overlays can be rendered again after you click a link.
So I guess the bottom line is this: Things like in-page analytics can be done if the site's owner has already trusted you by adding a script you control to his website (this is a good example why one should be very careful before doing such a thing). If you don't have that kind of access to the site, it might be impossible to bypass the same-origin policy - at least, I can't think of another way to do it (except maybe proxying all the requests through your sever, but that leads to other major problems).
I think this can be done quite simply. You inject javascript that makes sure that whenever a user clicks a link it requests/posts to a special page in the iframe. Something like this (jquery):
$('a').live('click', function() {
$('#' + iframeid).attr('http://somedomain.com/my_magic_page.php?linkClicked=' + $(this).attr('id') + '&page=' + window.location.toString());
}
Don't know if it'll work though.

Read Chrome browsing history within extension

How can I check if a certain link is found in Chrome's browsing history(on the computer that accesses the link) using JavaScript or jQuery? I am interested (if any) in the functions that I have to use. Also how can I get the date and time of the accessed link?
Retrieving the users history from javascript launched from a web page is impossible due to obvious blatant security issues.
Retrieving the users history from javascript running in an extension is possible, but doing so requires elevated permissions that the user has to grant after being warned. In summary you are probably looking for the chrome.history.getVisits() function. You can find more information on how to access the history using chrome.history here and the resulting security warnings given to the user here.
Nonono! That cannot happen. Unless you make a plugin, but I still doubt it.
This might be off topic but you might be interested in google analytics.
this chrome extension allow you to use browser address bar to search keywords, which will automatically search against your browser history and give you suggestion
Chrome webstore - history as bookmark
This is just not possible with Chrome because of security. What you would have to do is use cookies and add to the cookie each page the user is on along with the time visited.
Problem with this it will only track a user on your site not others. Cookies are only suppose to hold small amounts of info not long tracks of what page your user has been on. Also a user can disable cookies...
Another way is maybe doing this serverside and tracking the users IP through your pages and keep a list of what pages your user is visiting.

Categories