Goal - To block all non-first party cookies loading on a page.
Starting point - a <script> element loading my script into the first party page somewhere
Tools Used - Chrome Browser
What I know + test results:
DOM parsing is done synchronously and linearly - DOM Nodes are created as the page is "parsed" (ie. in order).
For example, for a script in the header, the "body" element does not exist yet.
Scripts are executed when their DOM Node is created and added to the Document.
Iframes are loaded when the elements have been added to the Document.
Images are loaded when the NODE IS CREATED, not when added to the Document.
Image nodes are created before the page is parsed - a level one parse if you will, or just a pre-scan. Either way you view it, images are loaded immediately and independently of DOM parsing.
It's possible to replace nodes "under" the current node by setting the "innerHTML" of the parent node. The lower node (removed by your "innerHTML" text is never run (scripts might be loaded, but they wont be run)
Possible Methods:
Method 1: Halt page loading while allowing my own script to run and load an iframe (which in turn loads and runs), and once finished, continue page loading. Can remove elements according to preference.
Method 2: Focus on ?Iframes : replace them with placeholder till user allows the Iframe
Using the rules we know listed up top, we can halt the page from loading whenever we insert our script. Question remains - if we load our iframe will that be allowed to "play" while the parent page is "paused" waiting for our script to allow it to continue. Likely answer is yes. Didn't test.
Method 2 would just replace current iframes (and listen for new ones added later) and wait for a signal from the user to add them back. Method 2 script would have to be placed at the top of the "body" to be effective - it IS location dependent, as other (non-embedded) scripts in front of it would delay it's execution - allowing iframes time to load. External scripts or styles above our script in the body would unacceptably delay execution of our script.
Method 2 blocks only Iframes. Method 1 blocks Iframes + scripts.
Nothing can block images. Which means the answer to this is a big - "cant do it".
Conclusion:
Possible to block all third party cookies : NO
Possible to block advertising cookies : YES (because can block the ad frame)
Possible to block beacons : NO (unless in Iframes or loaded by script)
Possible to remove other scripts from the page : YES (not explained here, but possible, as long as they are located after our script)
Possible to remove/replace Iframes : YES
No comments:
Post a Comment