Youtube Cookies are not blocked by OneTrust auto-blocking script - javascript

I am loading a script from Youtube on page load, which loads the script and creates some cookies, which are needed from Youtube.
Now, I have implemented OneTrust to work on cookies based on user consent. In Onetrust, there is a config to block any cookies to be created before any user consent. Here, other cookies are getting blocked except Youtube cookies. I am looking for any reason as if why Youtube cookies are created even before the user gives consent.
Any pointers would be appreciated! Thanks!

1- You must enable automatically block known tracking technologies before publishing:
2- Make sure you implemented the script before any other scripts into the "head" section of the HTML template. If you integrate it via GTM, make sure OneTrust script fired first.

Related

Can HTTP Access Control (CORS) prevent other domains from running my scripts?

I know by default the HTML page on other domains can't access my images, videos. They can only show them. But sadly, they can still run my scripts. If my script exposes some variables to the global scope, then the internal logic may be known by others.
I have a private website that others can't visit. Only I can visit it by sending a token in the Cookie to the server. If the token isn't included in the Cookie, every request will cause a 500 server error response. This is secure because everything is on HTTPS.
But unfortunately, I find this isn't very safe on my own machine, because after I visit my site and then visit a malicious site, this malicious site can use the following method to run my script:
<script src="https://my-website.com/main.js"></script>
That's because the Cookies of my website on my machine will be sent to my server as 3rd-party Cookies.
How to prevent that? Can access-control-allow-origin do so?
P.S. I don't want to disable all 3rd-party cookies in browser settings. Cookie's SameSite also doesn't make sense because only Chrome support it now.
There are a number of imaginable ways to prevent other sites from using the script element to run copies of scripts from your site in their sites, but CORS isn’t one of them.
Browsers are where the same-origin policy (SOP) is enforced and browsers are what block JavaScript running in Web apps from being able to use responses from cross-origin requests.
But browsers don’t use SOP/CORS when a Web app uses the script element to embed some JavaScript. Specifically, browsers don’t check that the script is served from the other site with an Access-Control-Allow-Origin header, which is the foundation of the whole CORS protocol.
So CORS is definitely not a solution to the problem you seem to want to solve.
But unfortunately, I find this isn't very safe on my own machine, because after I visit my site and then visit a malicious site, this malicious site can use the following method to run my script:
<script src="https://my-website.com/main.js"></script>
But if that site embeds your script in theirs that way, it runs within their origin, not yours. It runs there as a trusted script with all the same privileges of any script they’ve written themselves.
In that scenario, the other site is the one taking a security risk—because you can at any time change your https://my-website.com/main.js script to do anything you want at their site.
That is, by embedding your script that way, the other site gives your script programmatic fully-trusted access to do anything it wants at their entire origin—gifting you an XSS opportunity.

customization of AMP-HTML

In order to ensure compliance with the Cookie Law when using AMP, I need to be able to block the scripts that install cookies and activate them only once the user has given consent. I'm trying to achieve this on AMP-compliant pages, but I'm having the issues described below.
Upon reading the AMP documentation, I noticed that it is only possibile to insert scripts if the script type is set to “application/ld+json”.
The way we currently handle the blocking and re-activation of scripts once the cookie consent has been provided is to change the script type into plain/text in the page source, then switching it back via javascript only after the consent has been given.
How can we achieve this on an AMP-compliant page?
If it's not possibile insert custom script tags, can I create an “AMP-plugin” or a script accepted by the AMP system that makes me achieve the same?
Is it possible to prevent AMP activation at page load to then activate it with a specific trigger?
Also, we've noticed that the AMP js itself is installing cookies. Can the load of the AMP js also be subject to user consent to cookies?
Thanks in advance for your help.
Cookies might be troublesome either way. AMP sites are delivered via Google CDN - so they run on a google subdomain instead of your own domain. This is done by Google to further accelerate the render speed of the site.
So even if you could write a cookie, its scope would be the google subdomain, instead of your own domain.
There seem to be some work-arounds in context of the amp-analytics plugin:
https://www.ampproject.org/docs/guides/analytics/analytics_basics
Here is a cookie accept sample.
Hope this helps. Normaly it is okay to inform the user only that you use cookies.
If you want block cookie before loading the AMP you must handle it self by a script. Same whren user not accept.
Cookie writing can be controlled by passing in amp-user-notification-id as described in https://github.com/ampproject/amphtml/blob/master/extensions/amp-analytics/analytics-vars.md#clientid
The exact code that you need to use depends on what component is writing the cookies. Is it an analytics vendor or an ad or something else?

Prevent unsecure HTTP requests

I have a blog on tumblr, and I am trying out the website with SSL. Now with Chrome and possibly other browsers, any images and scripts that are not loaded using HTTPS are automatically blocked, and I lose the happy little green lock icon in the address bar. I am able to edit the HTML of the theme, however there are too many external scripts that are used to load images (and other scripts) to be able to weed out and fix every HTTP request. Obviously, I don't have access to the web server settings for tumblr.com or I could have easily configured HTTPS redirects or something.
I was wondering if there would be any way to prevent the HTML and other included scripts from making HTTP requests through the use of javascript. The website appears and functions just fine without the blocked elements, and I just want the lock icon to show my visitors that it's a safe website.
I have no intention of advertising my blog here, as I'm sure it is against the user policy on this forum. That being said, if it is helpful for troubleshooting reasons, I can post the link if requested.

How to show onbeforeload window for iframe?

I have a flash game from another website iframed on my site.
I want to prevent users for leaving my site when clicking a banner inside the flash game that redirect to another website.
I tried the sanbox thing but didnt work.
is this possible since the iframed content is a flash game?
Since the iframe is cross domain there isn't really anything you can do unless you have access to that server. Check out CORS(Cross Origin Resource Sharing), but I think even that will only get you as far as XHR requests go. It still wouldn't allow your scripts to access the contents of the iframe unless it is hosted on the same domain.

<iframe> links disappear when uploading website [duplicate]

How can I get around this? I wan't to make sure my users see the content without having to press the "disable protection on this page" button.
What you're trying to do is load Youtube over an http connection whilst your own site is served over a https connection, thus making it possible for a man in the middle attack to change the content of youtube and thus affect your site. As youtube doesn't allow loading the videos over https as far as I can see there is no way to really solve this problem if your site needs to really work over https. Either you will have to disable the secured connection on your site or alternatively not use Youtube, whatever you choose you will have to accept that the loaded page will be insecure.
(Btw, I am not sure how the browser treats mixed content, because loading the youtube player is possible over https, however loading the video stream over https is not possible, so I pressume that with the HTML5 player it won't work and with the flash player it will work, but I would have to do more testing to make sure of this)

Categories

Resources