Using Third-Party Resources
You have to comply with privacy regulations, and you have third-party and user-specified resources embedded on your site that may be tracking users without their consent. How can you ensure that these resources cannot track users without their consent?
This is common for any site that embeds any third-party resources. These resources can be loaded via analytics, advertising, social widgets, or user-configurable embedded content. There are a variety of ways to handle this, with each approach having its own pros and cons.
One of the most effective ways to prevent third-party tracking is to replace third-party resources with local alternatives. For example, instead of using a social media share button provided by a third-party script, consider using a simple link styled with CSS. This is also better for site performance.
The preferable solution for user privacy is to re-host resources on your own servers, so that the original site doesn't get to see your users IP addresses or set/receive tracking cookies.
Re-hosting content adds backend cost and complexity, so it's not always a practical solution for existing systems. The following techniques can all be used on the client-side without any server-side cost:
One technique is to enable tracking vendor-specific data processing restriction features by overriding requests to force certain parameters or hostnames. Request overrides can also be used to sanitize sent requests by removing any detected personal data from requests before they are sent.
Transcend Consent Management can automatically enforce certain vendor-specific opt-out parameters and share consent signals with certain vendor APIs through Transcend's Privacy Preserving Tracker Overrides.
Read more: Integrations
Another technique that can be implemented through our request overrides architecture is personally identifiable information scrubbing. This is a technique that can be used to remove personal data from requests before they are sent.
Transcend Consent Management can override requests using the airgap.js request overrides API so that you can programmatically scrub personal data from requests before they are sent. The following example demonstrates how to use our request overrides API to scrub a list of known PII-containing parameters from requests unless the user is fully opted in.
// List of query parameters containing PII to scrub const piiParams = ['email', 'fullName']; // Register pre-init airgap.js request overrides self.airgap = { overrides: [ { override(event) { event.URLs.forEach((URL, i) => { const { searchParams } = URL; const shouldScrub = airgap.isOptedOut(); if (shouldScrub) { const paramsToScrub = piiParams.filter((param) => searchParams.has(param), ); if (paramsToScrub.length > 0) { // scrub parameters from URL paramsToScrub.forEach((param) => { searchParams.delete(param); }); // re-serialize URL input event.urls[i] = URL.href; } } }); }, }, ], };
You can omit cookies and other credentials from certain network requests by setting various attributes on request-causing elements and supplying optional flags in JavaScript networking APIs. airgap.js provides an IPendingEvent.omitCredentials(): boolean
API which returns success state that toggles relevant credential omission flags where applicable. This API affects data flows both in-transit as they are emitted and at-rest in the request quarantine.
Credential omission is limited to the following request sources:
- Network APIs
fetch
XMLHttpRequest
- Workers:
Worker
SharedWorker
ServiceWorker
- HTML elements
img
link
script
audio
video
If you wish to hide or truncate the original page referrer string sent to a linked resource, you can use the referrerpolicy
attribute on img
elements, iframe
elements, and other elements. The Referrer-Policy
HTTP header can also set referrer behavior for all resources on a page.
If you wish to embed third party resources using iframe
elements, there are additional features such as the sandbox attribute which can be used to reduce how the iframe can track the user. Sandbox configurations that allow scripting are potentially dangerous as the content may perform unique persistent tracking via fingerprinting or similar means.