Incapacitating Google Tag Manager (2022)

Posted by fsflover 1 day ago

Incapacitating Google Tag Manager (2022)(backlit.neocities.org)

201 points | 135 commentspage 2

user070223 14 hours ago|

Ublock origin author - Gorhill - 2022 response: https://news.ycombinator.com/item?id=30415234

Ublock origin wiki referencing a method to block, unsure how effective it is(seems to be based on the first link): https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#...

"*$1p,strict3p,script,header=via:1.1 google"

Perhaps some filter in your list already utilizing this but I'm unable to verify

padjo 15 hours ago||

How refreshing, a website that doesn’t punch me in the face with a cookie banner. Is that because they’re legit not tracking me or are they just noncompliant?

Animats 1 day ago||

Blocking Google Tag Manager script injection seems to have few side effects. Blocking third party cookies also seems to have few side effects. Turning off Javascript breaks too much.

alganet 1 day ago|

Use a whitelist-based extension such as NoScript:

https://noscript.net

You can then enable just enough JS to make sites work, slowly building a list of just what is necessary. It can also block fonts, webgl, prefetch, ping and all those other supercookie-enabling techniques.

The same with traditional cookies. I use Cookie AutoDelete to remove _all_ cookies as soon as I close the tab. I can then whitelist the ones I notice impact on authentication.

Also, you should disable JavaScript JIT, so the scripts that eventually load are less effective at exploiting potential vulnerabilities that could expose your data.

Timwi 3 hours ago||

Why would JIT be more likely to have such a vulnerability than a JavaScript engine without JIT?

monista 1 day ago||

If you block Google Tag Manager, you probably also want to block Yandex Metrics and Cloudflare Insights.

reddalo 1 day ago|

I think it's hard to block Cloudflare Insights because most of the data is collected server-side.

ozgrakkurt 16 hours ago||

You can use something like this maybe https://adnauseam.io/

ayaros 1 day ago||

Is there a good way to collect basic analytics if you have a site you're hosting on GitHub pages? In such cases I'd rather not rely on Google Analytics if I don't have to.

marsavar 23 hours ago||

https://plausible.io/ or https://usefathom.com/

sneak 23 hours ago||

There are literally hundreds of alternatives.

ayaros 23 hours ago||

I figured... just wanted to see which ones people on HN think are worth looking at.

rurban 1 day ago||

Just add the domain to your /etc/hosts as 0.0.0.0

Doing that for years

future10se 1 day ago||

As mentioned on the blog post:

> Used as supplied, Google Tag Manager can be blocked by third-party content-blocker extensions. uBlock Origin blocks GTM by default, and some browsers with native content-blocking based on uBO - such as Brave - will block it too.

> Some preds, however, full-on will not take no for an answer, and they use a workaround to circumvent these blocking mechanisms. What they do is transfer Google Tag Manager and its connected analytics to the server side of the Web connection. This trick turns a third-party resource into a first-party resource. Tag Manager itself becomes unblockable. But running GTM on the server does not lay the site admin a golden egg...

By serving the Google Analytics JS from the site's own domain, this makes it harder to block using only DNS. (e.g. Pi-Hole, hosts file, etc.)

One might think "yeah but the google js still has to talk to google domains", but apparently, Google lets you do "server-side" tagging now (e.g. running a google tag manager docker container). This means more (sub)domains to track and block. That said, how many site operators choose to go this far, I don't know.

https://developers.google.com/tag-platform/tag-manager/serve...

whatevertrevor 17 hours ago||

Slightly related I've also been recently noticing some sites loading ads pseudo-dynamically from "content-loader" subdomains usually used to serve images. It's obnoxious because blocking that subdomain at the DNS level usually breaks the site.

My current strategy is to fully block the domain if that's the sort of tactic they're willing to use.

1oooqooq 1 day ago||

https://someonewhocares.org/hosts/zero/

iknownothow 1 day ago|||

I just did a wget of the site and noticed the following line at the end.

> <script async src="https://www.googletagmanager.com/gtag/js?xxxxxxx"></script>

I am going to use this for sure, but it is a little ironic.

jpgreens 21 hours ago||||

What if we could resolve every domain to 0.0.0.0 by default at the start. When visiting a website manually through the browser's URL bar it would automatically be whitelisted. Clicking links would also whitelist the domain of the link only. Sure you'd have to occasionally allow some 3rd party domains as well. Guess it would be cumbersome at first but after a while it would be pretty stable and wouldn't require much extra attention.

reddalo 1 day ago|||

I feel like that document is seriously outdated.

This GitHub repo seems way more up-to-date: https://github.com/StevenBlack/hosts

lazyeye 23 hours ago||

Try pihole (self-hosted) or nextdns if you want something that stays up to date.

drcongo 1 day ago||

Google Tag Manager and the whole consent management platform certification business is nothing more than a shakedown. It's racketeering.

lerp-io 23 hours ago||

ugh... if you think the internet should be a "static webpage" i got bad news for you bud

Timwi 2 hours ago|

The term is a little ambiguous. They're not referring to a website that is served from static files that never change (which would exclude forums like Hacker News). They're referring to websites that still work if you disable JavaScript, so Hacker News would still be included.

hinkley 20 hours ago||

We had a disgusting number of tags on some of our customer pages and a few dozen of them start to have effects on page load, especially if you were still on HTTP 1.1.

aleppopepper 1 day ago|

That's hilarious. Do you really Google should be privacy respecting?

More comments...