Coffee Space – Coffee Space

Do Not Track

Introduction

This is a short blog about a “Do Not Track” implementation for this site, motivated after ready a Hacker News post about preventing site tracking [1]. One of the reasons I run this site on my own server is that I want full control over the content delivered, privacy being one of the things I value. Whilst NeoCities [2] and GitHub [3] may offer free hosting to some extent, I do remain concerned about their vested interest in offering these services.

One of the comments on the Hacker News comments [1] was the following:

0001  hellcow
0002  
0003  You could also put `if (navigator.doNotTrack === "1") { return }` at the
0004  top of your script.
0005  
0006  https://developer.mozilla.org/en-US/docs/Web/API/Navigator/d...

I checked out this resource [4] and it seemed like a good implementation - and it’s nice to use javascript as an anti-tracking feature for once!

Support

So the support seems to be as follows [5]:

0007 Platform Browser Version DNT?
0008 Desktop  Chrome  23      yes
0009 Desktop  Firefox 9.0     yes*
0010 Desktop  IE      9       yes*
0011 Desktop  Opera   12      yes
0012 Desktop  Safari  5.1     yes*
0013 Mobile   Android -       no
0014 Mobile   Firefox 9.0     yes*
0015 Mobile   IE      -       no*
0016 Mobile   Opera   -       no
0017 Mobile   Safari  -       no

Clearly this is a feature that will work on all browsers in the future, but we can do our best to support it for complying browsers now. We can at least try to protect those who keep their browser up to date - it’s likely too late for those who don’t…

There are of course edge cases:

Prior to Gecko 32 Firefox would report navigator.doNotTrack with values of yes and no rather than 1 and 0.
Internet Explorer 9 and 10 use a vendor prefix, i.e. navigator.msDoNotTrack.
Internet Explorer 11 uses window.doNotTrack rather than navigator.doNotTrack.
Safari 7.1.3+ uses window.doNotTrack rather than navigator.doNotTrack.

Additional edge cases specific to Internet Explorer [6]:

window.external.InPrivateFilteringEnabled
window.external.msTrackingProtectionEnabled

There may be more, bit I’m losing the will to live by searching for them.

(Why, Microsoft? Why? Why…? Why do you do it? Why? Why get up?)

Implementation

The dnt.js file being used for this page can be found here. It’s a simple implementation for now, that avoids having to make changes to server side content that is currently produced statically. All it does is replace iframes with external srcs and puts in place a hard link to the content.

The thinking is that those who are not running JavaScript will not be affected, those that are using browsers too old will not be affected and those using newer browsers have their privacy respected. In this way, we can consider this client-side code as fail-safe.

We load the script just after all of the elements in the page and simply run the JavaScript straight from there - no callback. This is when all the elements have been parsed, but their contents have not yet been loaded.

References

[1] Hacker News

[2] NeoCities

[3] GitHub

[4] Mozilla

[5] Mozilla

[6] TestDrive Archive