No boundaries: Exfiltration of personal data by session-replay scripts

Home Depot does this in a way that consumes my whole upload bandwidth, dragging down the entire connection (moved and haven&#x27;t gotten around to reintegrating the proper router with tc(8)). As a result, I&#x27;ve moved towards using Lowes to spec things out, even though it&#x27;s a 45 minute drive and their products are of generally inferior quality. Good job, surveillance parasites - you&#x27;re starting to kill your hosts!<p>(I&#x27;m sure Lowes is or will be doing something similar, as faux-competition duopolies tend to move in lockstep. But the outright callous boneheaded execution still amazes me).

To be fair, FullStory spends a lot of time in their onboarding, UI and docs encouraging you to check and double check that anything sensitive is excluded. They broadcast this message so clearly that it&#x27;s obvious that they take privacy seriously (or, about as seriously as any over-the-shoulder-peeking service could), and they strongly encourage their users to adopt the same stance.<p>This article makes it seem like their defaults are the only exclusion settings possible, which is very far from the truth.<p>I feel like FullStory is being blamed for trying to provide some minimal default exclusion settings at all. I assume the same holds for competing services.<p>I&#x27;m not saying that this means the core premise of this is wrong: there&#x27;s many things to dislike about session recording services. But the article goes on and on about a few defaults, instead of focusing on the dangers of the core concept and loses the argument that way IMO.

Does anyone know if ublock origin blocks this kind of stuff? Yet another reason to never disable it. I&#x27;m starting to realize it&#x27;s a lot more than an ad blocker, but more like a firewall to protect the client against malicious sites with crypto miners, trackers and this stuff...

+1 for highlighting the privacy concerns, but -1 for blaming the software for not having strong enough defaults.<p>As someone who has integrated FullStory into a production site, I spent several days doing a careful audit of our forms and redacting fields from being tracked. FullStory has an excellent, universal account setting to automatically redact fields based on any CSS selector, so it&#x27;s very, very easy to tell it to remove any sensitive information - or even all form fields! - if that&#x27;s what the website publisher desires. Out of the box I found that it correctly blocked credit card fields and passwords correctly, and we were able to add additional fields that are sensitive.<p>Again, rightly so that a website publisher may want more information than you desire, but they could also store your info in plaintext in the database, making it easy for hackers to exfiltrate as well. Yes, this is another vector, but hardly the easiest one.

Read the article. Noob Q. Surely not ALL the browser tabs are vulnerable to the getting recorded? In other words only the tabs that are connected to websites that contain these recording JS scripts are vunerable, correct?

Is there a browser extension that warns you about the various tracker scripts a website is utilizing?

Anyone know where I can find a list of the domain names used by these companies are? I want to block everything from all of their domains.

DAMMIT. Once again the question that immediately come to mind is &quot;Why the FUCK do browsers facilitate this shit?&quot;<p>C&#x27;mon you stupid web devs on HN tell me again all your excuses to need these capabilities. Sorry to generalize to all those of you who don&#x27;t do this, but many of you still want those capabilities that have opened the door. And those browser devs... It&#x27;s like they compete to sell out the users by adding &quot;features&quot;.