In trying out NoScript 10 I was reminded that yandex.st is on the default whitelist. According to FAQ 1.5, it was added only because it a "CDN providing common, well known and verified JavaScript libraries and frameworks to popular websites." And only that because it was requested in this thread - https://forums.informaction.com/viewtop ... 10&t=17066
But, now, per the articles linked in https://forums.informaction.com/viewtop ... 18&t=23569, yandex is now serving highly invasive tracking scripts.
Should yandex.st be removed from the default whitelist?
[Done] Remove yandex.st from default whitelist?
[Done] Remove yandex.st from default whitelist?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Remove yandex.st from default whitelist?
I'm marking it as untrusted based on your information alone. Thanks for reporting this. Based on what you said, I believe it should be removed. Whether that will be default or not is not my decision to make.barbaz wrote:But, now, per the articles linked in https://forums.informaction.com/viewtop ... 18&t=23569, yandex is now serving highly invasive tracking scripts.
Should yandex.st be removed from the default whitelist?
Thanks again for the info!
8-bit
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Re: Remove yandex.st from default whitelist?
bump
*Always* check the changelogs BEFORE updating that important software!
-
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Remove yandex.st from default whitelist?
Doing that, thank you.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: [Done] Remove yandex.st from default whitelist?
1) is now?yandex is now serving highly invasive tracking scripts
no, not now, yandex metrika and webvisor exists for the last 10 years as far as i remember, known best alternative to google analytics, great instrument for webmasters, not for "tracking"
nobody worried about this until "research"
2) i rather will block domains who installed webvisor at websites/pages with sensitive information forms. not yandex itself
3) who told you that yandex.st is yandex metrics/webvisor?
this is a typical code of counter, as you can see the script is https://mc.yandex.ru/metrika/watch.js
domain is mc.yandex.ru (or mc.yandex.com if you have non-ru account) not yandex.st
Code: Select all
<!-- Yandex.Metrika counter -->
<script type="text/javascript" >
(function (d, w, c) {
(w[c] = w[c] || []).push(function() {
try {
w.yaCounter0000000 = new Ya.Metrika({
id:0000000,
clickmap:true,
trackLinks:true,
accurateTrackBounce:true,
webvisor:true,
trackHash:true
});
} catch(e) { }
});
var n = d.getElementsByTagName("script")[0],
s = d.createElement("script"),
f = function () { n.parentNode.insertBefore(s, n); };
s.type = "text/javascript";
s.async = true;
s.src = "https://mc.yandex.ru/metrika/watch.js";
if (w.opera == "[object Opera]") {
d.addEventListener("DOMContentLoaded", f, false);
} else { f(); }
})(document, window, "yandex_metrika_callbacks");
</script>
<noscript><div><img src="https://mc.yandex.ru/watch/0000000" style="position:absolute; left:-9999px;" alt="" /></div></noscript>
<!-- /Yandex.Metrika counter -->
according to https://tech.yandex.ru/jslibs/ , domain of javascript libs cdn is now is yastatic.net
example https://yastatic.net/jquery/3.1.1/jquery.min.js
(but old one also works and used) https://yandex.st/jquery/3.1.1/jquery.min.js
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0