[Done] Remove yandex.st from default whitelist?

Bug reports and enhancement requests
Post Reply
barbaz
Senior Member
Posts: 9140
Joined: Sat Aug 03, 2013 5:45 pm

[Done] Remove yandex.st from default whitelist?

Post by barbaz » Tue Nov 21, 2017 6:23 pm

In trying out NoScript 10 I was reminded that yandex.st is on the default whitelist. According to FAQ 1.5, it was added only because it a "CDN providing common, well known and verified JavaScript libraries and frameworks to popular websites." And only that because it was requested in this thread - https://forums.informaction.com/viewtop ... 10&t=17066

But, now, per the articles linked in https://forums.informaction.com/viewtop ... 18&t=23569, yandex is now serving highly invasive tracking scripts.

Should yandex.st be removed from the default whitelist?
*Always* check the changelogs BEFORE updating that important software!
-

8-bit
Senior Member
Posts: 97
Joined: Thu Mar 16, 2017 7:43 pm

Re: Remove yandex.st from default whitelist?

Post by 8-bit » Wed Nov 22, 2017 12:20 am

barbaz wrote:But, now, per the articles linked in https://forums.informaction.com/viewtop ... 18&t=23569, yandex is now serving highly invasive tracking scripts.

Should yandex.st be removed from the default whitelist?
I'm marking it as untrusted based on your information alone. Thanks for reporting this. Based on what you said, I believe it should be removed. Whether that will be default or not is not my decision to make.

Thanks again for the info!

8-bit
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0

barbaz
Senior Member
Posts: 9140
Joined: Sat Aug 03, 2013 5:45 pm

Re: Remove yandex.st from default whitelist?

Post by barbaz » Fri Dec 01, 2017 5:35 am

bump
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Remove yandex.st from default whitelist?

Post by Giorgio Maone » Fri Dec 08, 2017 8:59 pm

Doing that, thank you.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

cowsay
Posts: 1
Joined: Sat Dec 09, 2017 4:07 am

Re: [Done] Remove yandex.st from default whitelist?

Post by cowsay » Sat Dec 09, 2017 4:28 am

yandex is now serving highly invasive tracking scripts
1) is now?

no, not now, yandex metrika and webvisor exists for the last 10 years as far as i remember, known best alternative to google analytics, great instrument for webmasters, not for "tracking"
nobody worried about this until "research"

2) i rather will block domains who installed webvisor at websites/pages with sensitive information forms. not yandex itself

3) who told you that yandex.st is yandex metrics/webvisor?

this is a typical code of counter, as you can see the script is https://mc.yandex.ru/metrika/watch.js
domain is mc.yandex.ru (or mc.yandex.com if you have non-ru account) not yandex.st

Code: Select all

<!-- Yandex.Metrika counter -->
<script type="text/javascript" >
    (function (d, w, c) {
        (w[c] = w[c] || []).push(function() {
            try {
                w.yaCounter0000000 = new Ya.Metrika({
                    id:0000000,
                    clickmap:true,
                    trackLinks:true,
                    accurateTrackBounce:true,
                    webvisor:true,
                    trackHash:true
                });
            } catch(e) { }
        });

        var n = d.getElementsByTagName("script")[0],
            s = d.createElement("script"),
            f = function () { n.parentNode.insertBefore(s, n); };
        s.type = "text/javascript";
        s.async = true;
        s.src = "https://mc.yandex.ru/metrika/watch.js";

        if (w.opera == "[object Opera]") {
            d.addEventListener("DOMContentLoaded", f, false);
        } else { f(); }
    })(document, window, "yandex_metrika_callbacks");
</script>
<noscript><div><img src="https://mc.yandex.ru/watch/0000000" style="position:absolute; left:-9999px;" alt="" /></div></noscript>
<!-- /Yandex.Metrika counter -->
4) p.s
according to https://tech.yandex.ru/jslibs/ , domain of javascript libs cdn is now is yastatic.net
example https://yastatic.net/jquery/3.1.1/jquery.min.js
(but old one also works and used) https://yandex.st/jquery/3.1.1/jquery.min.js
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

Post Reply