I’m building a personal website using this premade Enterprise-class CMS because it has both the blogging and wiki/docs parts in one package, it’s not as gorgeous as a WordPress site can get but it’s got a ton of management tools and then some. Plus, I’ve invested on it already and got it looking pretty good for an Enterprise CMS––actually it ain’t that bad even compared against the blogging CMSes.
There’s a big issue with it though: analytics. They are disabled on the backend but the code still loads in every page and I found out that HTTP POST requests are made to a REST endpoint, fortunately all within the domain (although this might be because my reverse-proxy, HAProxy, injects Content Security Policy headers so no requests outside of my domains are allowed) and in the same proxy those REST calls are blocked so they never make it to the server and finally the server itself is blocked from connecting to the Internet on its own so it can’t ever phone home to upload stuff.
Only doing all of this I feel I feel confident about visitor (and my own) privacy and I would leave it at that except for the fact that those REST calls have the word "analytics" right on the URL therefore privacy tools like uBlock Origin flag them on a site with otherwise perfect privacy score.
The CMS allows to put in some code in sections on it, I’m already using code put in the end of the body section to hide the login section back up in the header section, not needed on a personal site. It’s a something like:
<script> jQuery('#sectionid').hide(); </script>
So I’m thinking about using something like that to either block loading the analytics script’s module I guess it’s called, or perform a function similarly to a CSP, forbid the page to make HTTP requests to that address thus uBlock Origin won’t flag my site. I tried blocking the script from being requested altogether but it’s in some form of multiplexed request with other scripts (as you may tell by now; I know nothing about code) and they are loaded lumped together in
batch.js files breaking the site with it when blocked. I found about all of this (and the concept of minify) after a couple of hours viewing logs and analyzing the code with the developer tools on different browsers. Didn’t fix a thing but at least I didn’t break things* and I got an idea on how to proceed.
I also found this
…and I am begging that "gre" doesn’t mean what it means in the networking world, y’know–a tunnel, because I’d have to dump the CMS and start looking again. I’ll leave that for later though.
Is there some code to block other code or block/rewrite requests? I have other servers from where I can easily server the code if it can’t be out inline. Any suggestion is welcome.
BTW those last sentences sound like dev talk, at least to me a little, but it’s only what I’ve learned from using a proxy–I really know no code.
*: actually I did break some stuff but thankfully virtualization saved me: I snapshoot (snapshotted?) back in time.