0

I need to write a client side javascript that prevents other 3rd party scripts requesting certain domain urls on their own. Is there a way to achieve this?

Example setup:

<html>
  <body>
    <script src="myscript.js" type="text/javascript">
    <script src="third-party-script.js" type="text/javascript">
  </body>
</html>

now third-party-script.js requests from the domain www.track-me.com, i want to be able to block outgoing track-me.com requests via code inside myscript.js.

Improve this question
5
  • Don't load third-party scripts that you don't trust in the first place. Commented Sep 19, 2024 at 19:25
  • @Bergi this issue is old but its not about trust, its about working with GDPR compliance given the constraints of that web page Commented Sep 20, 2024 at 13:34
  • If you have a data processing agreement with the provider of the script, asking them to also provide a version that doesn't make these requests should be the first step. If they won't do that, but you trust them so far as not to change their implementation, you can just overwrite the parts of their module (or the underlying globals that their code uses) that make these requests and have them do nothing. If you need help with that, you'd need to ask a more concrete question that includes the code of third-party-script.js though. Commented Sep 20, 2024 at 14:56
  • @Bergi if there are no constraints here with what scripts can be included or not, then i wouldnt be asking this technical question. Commented Sep 20, 2024 at 15:24
  • Then what exactly are those constraints? Please edit your question to clarify. Otherwise, a content security policy (as suggested by @Madacol, though even better sent as a header than a <meta> tag) might be the simplest solution (and is a best practice anyway). Commented Sep 20, 2024 at 15:55

2 Answers 2

Reset to default
3

You can use a service worker to intercept network requests from your page and handle them as you please.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, forgot to mention i need it to work on IE11
1

With CSP you cannot blacklist domains, but you can whitelist them, for example:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://apis.example.com">

This will only allow requests to your own domain and https://apis.example.com

You can also block all requests:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'">

And with this last idea you can do some sneaky stuff, like loading everything you want, and then in js cutoff every future connection attempts, like this:

Instead of putting that meta tag statically, load all scripts you want to load, then in the last one (or whenever you are ready to go offline) insert the meta tag dynamically:

{   // Go Offline
    const meta = document.createElement('meta');
    meta.httpEquiv = "Content-Security-Policy";
    meta.content = "default-src 'none';";
    document.head.appendChild(meta);
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.