Incapacitating Google Tag Manager (2022)

Posted by fsflover 7/4/2025

Incapacitating Google Tag Manager (2022)(backlit.neocities.org)

213 points | 153 commentspage 2

drcongo 7/4/2025|

Google Tag Manager and the whole consent management platform certification business is nothing more than a shakedown. It's racketeering.

egorfine 7/7/2025||

I develop software for over 30 years now.

GTM is in my top #3 list of the worst software to ever exist. And I mean it. GTM is incredibly hostile to everyone around it: to the victims, to marketing people, to software engineers.

Animats 7/4/2025||

Blocking Google Tag Manager script injection seems to have few side effects. Blocking third party cookies also seems to have few side effects. Turning off Javascript breaks too much.

alganet 7/4/2025|

Use a whitelist-based extension such as NoScript:

https://noscript.net

You can then enable just enough JS to make sites work, slowly building a list of just what is necessary. It can also block fonts, webgl, prefetch, ping and all those other supercookie-enabling techniques.

The same with traditional cookies. I use Cookie AutoDelete to remove _all_ cookies as soon as I close the tab. I can then whitelist the ones I notice impact on authentication.

Also, you should disable JavaScript JIT, so the scripts that eventually load are less effective at exploiting potential vulnerabilities that could expose your data.

Timwi 7/5/2025||

Why would JIT be more likely to have such a vulnerability than a JavaScript engine without JIT?

alganet 7/7/2025||

I honestly don't know. I just noticed a lot of CVEs related to JS JIT in different browsers.

padjo 7/5/2025||

How refreshing, a website that doesn’t punch me in the face with a cookie banner. Is that because they’re legit not tracking me or are they just noncompliant?

monista 7/4/2025||

If you block Google Tag Manager, you probably also want to block Yandex Metrics and Cloudflare Insights.

reddalo 7/4/2025|

I think it's hard to block Cloudflare Insights because most of the data is collected server-side.

ozgrakkurt 7/5/2025||

You can use something like this maybe https://adnauseam.io/

ayaros 7/4/2025||

Is there a good way to collect basic analytics if you have a site you're hosting on GitHub pages? In such cases I'd rather not rely on Google Analytics if I don't have to.

marsavar 7/4/2025||

https://plausible.io/ or https://usefathom.com/

sneak 7/4/2025||

There are literally hundreds of alternatives.

ayaros 7/4/2025||

I figured... just wanted to see which ones people on HN think are worth looking at.

rurban 7/4/2025||

Just add the domain to your /etc/hosts as 0.0.0.0

Doing that for years

future10se 7/4/2025||

As mentioned on the blog post:

> Used as supplied, Google Tag Manager can be blocked by third-party content-blocker extensions. uBlock Origin blocks GTM by default, and some browsers with native content-blocking based on uBO - such as Brave - will block it too.

> Some preds, however, full-on will not take no for an answer, and they use a workaround to circumvent these blocking mechanisms. What they do is transfer Google Tag Manager and its connected analytics to the server side of the Web connection. This trick turns a third-party resource into a first-party resource. Tag Manager itself becomes unblockable. But running GTM on the server does not lay the site admin a golden egg...

By serving the Google Analytics JS from the site's own domain, this makes it harder to block using only DNS. (e.g. Pi-Hole, hosts file, etc.)

One might think "yeah but the google js still has to talk to google domains", but apparently, Google lets you do "server-side" tagging now (e.g. running a google tag manager docker container). This means more (sub)domains to track and block. That said, how many site operators choose to go this far, I don't know.

https://developers.google.com/tag-platform/tag-manager/serve...

whatevertrevor 7/5/2025||

Slightly related I've also been recently noticing some sites loading ads pseudo-dynamically from "content-loader" subdomains usually used to serve images. It's obnoxious because blocking that subdomain at the DNS level usually breaks the site.

My current strategy is to fully block the domain if that's the sort of tactic they're willing to use.

1oooqooq 7/4/2025||

https://someonewhocares.org/hosts/zero/

iknownothow 7/4/2025|||

I just did a wget of the site and noticed the following line at the end.

> <script async src="https://www.googletagmanager.com/gtag/js?xxxxxxx"></script>

I am going to use this for sure, but it is a little ironic.

jpgreens 7/5/2025||||

What if we could resolve every domain to 0.0.0.0 by default at the start. When visiting a website manually through the browser's URL bar it would automatically be whitelisted. Clicking links would also whitelist the domain of the link only. Sure you'd have to occasionally allow some 3rd party domains as well. Guess it would be cumbersome at first but after a while it would be pretty stable and wouldn't require much extra attention.

1oooqooq 7/7/2025||

that's exactly what uBlockOrigin does in advanced mode.

enjoy.

reddalo 7/4/2025|||

I feel like that document is seriously outdated.

This GitHub repo seems way more up-to-date: https://github.com/StevenBlack/hosts

lazyeye 7/4/2025||

Try pihole (self-hosted) or nextdns if you want something that stays up to date.

colinprince 7/5/2025||

didn't first party sets get dropped in 2022?

https://lists.w3.org/Archives/Public/public-privacycg/2022Ju...

lerp-io 7/4/2025||

ugh... if you think the internet should be a "static webpage" i got bad news for you bud

Timwi 7/5/2025|

The term is a little ambiguous. They're not referring to a website that is served from static files that never change (which would exclude forums like Hacker News). They're referring to websites that still work if you disable JavaScript, so Hacker News would still be included.

aleppopepper 7/4/2025|

That's hilarious. Do you really Google should be privacy respecting?

More comments...