[Done] Remove yandex.st from default whitelist?

[barbaz]

In trying out NoScript 10 I was reminded that yandex.st is on the default whitelist. According to FAQ 1.5, it was added only because it a "CDN providing common, well known and verified JavaScript libraries and frameworks to popular websites." And only that because it was requested in this thread - https://forums.informaction.com/viewtop ... 10&t=17066

But, now, per the articles linked in https://forums.informaction.com/viewtop ... 18&t=23569, yandex is now serving highly invasive tracking scripts.

Should yandex.st be removed from the default whitelist?

[8-bit]

But, now, per the articles linked in https://forums.informaction.com/viewtop ... 18&t=23569, yandex is now serving highly invasive tracking scripts.

Should yandex.st be removed from the default whitelist?

I'm marking it as untrusted based on your information alone. Thanks for reporting this. Based on what you said, I believe it should be removed. Whether that will be default or not is not my decision to make.

Thanks again for the info!

8-bit

[barbaz]

bump

[Giorgio Maone]

Doing that, thank you.

[cowsay]

yandex is now serving highly invasive tracking scripts

1) is now?

no, not now, yandex metrika and webvisor exists for the last 10 years as far as i remember, known best alternative to google analytics, great instrument for webmasters, not for "tracking"
nobody worried about this until "research"

2) i rather will block domains who installed webvisor at websites/pages with sensitive information forms. not yandex itself

3) who told you that yandex.st is yandex metrics/webvisor?

this is a typical code of counter, as you can see the script is https://mc.yandex.ru/metrika/watch.js
domain is mc.yandex.ru (or mc.yandex.com if you have non-ru account) not yandex.st

Code: Select all

<!-- Yandex.Metrika counter -->
<script type="text/javascript" >
    (function (d, w, c) {
        (w[c] = w[c] || []).push(function() {
            try {
                w.yaCounter0000000 = new Ya.Metrika({
                    id:0000000,
                    clickmap:true,
                    trackLinks:true,
                    accurateTrackBounce:true,
                    webvisor:true,
                    trackHash:true
                });
            } catch(e) { }
        });

        var n = d.getElementsByTagName("script")[0],
            s = d.createElement("script"),
            f = function () { n.parentNode.insertBefore(s, n); };
        s.type = "text/javascript";
        s.async = true;
        s.src = "https://mc.yandex.ru/metrika/watch.js";

        if (w.opera == "[object Opera]") {
            d.addEventListener("DOMContentLoaded", f, false);
        } else { f(); }
    })(document, window, "yandex_metrika_callbacks");
</script>
<noscript><div><img src="https://mc.yandex.ru/watch/0000000" style="position:absolute; left:-9999px;" alt="" /></div></noscript>
<!-- /Yandex.Metrika counter -->

4) p.s
according to https://tech.yandex.ru/jslibs/ , domain of javascript libs cdn is now is yastatic.net
example https://yastatic.net/jquery/3.1.1/jquery.min.js
(but old one also works and used) https://yandex.st/jquery/3.1.1/jquery.min.js