Google tag manager in my experience is a script executed by the browser. Then it installs itself in the page and performs the inner payload of user script insertions. It’s a Trojan horse, really. You can block Google tag manager’s embed scripts. I wasn’t aware of a backend integration but it’s certainly possible.
Regardless, I use a DNS based ad blocker (pihole) and it takes care of all this stuff. I occasionally need to turn it off or whitelist domains (like Google tag manager) for client work, but normally I have it blocked.
A Server-Side GTM container compliments a client-side container, it does not fully replace it.
Some processing happens on the server, but event data must still be sent to the server-side container first. For now, the "standard" deployment of a server-side is that it receives hits directly from the browser, orchestrated by a traditional client-side container. So the client-side script is still there, just less bloated.
The server-side container has built-in facilities for serving up the client-side container script. Meaning that domain-name blocking will not prevent this. DNS-based also has some issues: Server-Side Containers run in App Engine, blocking them basically means blocking anything running on GCP.
Current GTM, configured (via the server UI) to inject tracker X:
gtm javascript loads, pulls down the config, injects tracker X javascript into the browser
new gtm:
gtm javascript loads, pulls down config, streams events to google servers to fan out to tracker X as configured
So blocking gtm.js off tagmanager.google.com / www.googletagmanager.com / the various other domains still blocks all gtm injected tags.
The tl;dr is they're become much closer to segment -- which does the data fanout internally to segment. But they should still be straightforward to block.
This is not how GTM server side works. There is not a single call to Google domains from the client, when GTM server side is set up to its fullest. The config (gtm.js) will be loaded from my subdomain and not googletagmanager.com. Also gtm.js can be renamed.
Per the docs here [1], that is not true. You continue to load gtag.js off the googletagmanager.com domain; subsequent events can flow to a custom domain.
No because the script contents can change from site to site. Maintaining an index for every site would get you closer, but individual sites can trivially tweak things to break fingerprinting as often as they want. Even on every request.
You missed the part where they recommend changing the script's name as well, add in changing a few variable/function names in the script and even matching the hash of the script itself would be useless. On top of them recommending using a sub domain with an A/AAAA record so its first party.
Worst-case you parse the script and block it if the AST is too similar.
There are a million ways to detect and block this sort of thing when you control the client. Yes, it's harder than just blackholing a whole domain, but it's hardly impossible.
Does there need to be a loaded script with a certain fingerprint? What if they are just passing data from the browser to some random endpoint? I'm not sure, just thoughts.
There needs to be a script because the tracking still happens client-side and there will be some logic involved. The only way to avoid being blocked by the browser is to track server-side.
The point is that DNS ad blocking is being worked around with this new system, because it looks like part of the site you're on. Also, that google is encouraging modifying the JS to prevent automated tools from blocking the javascript.
> You just have to write them by hand instead of the convenient table UI.
That’s a pretty big "just", though. Very few sites work without fiddling with rules, having to do manual text entry every time would push me towards not using it.
The UI of uMatrix is generally far superior to the mobile-friendly, simplified one of uBo.
It is, but for me the pros outweigh the cons. In particular, even with uM I often ended up editing the rules by hand because it was easier to copy-paste and turn on and off rules for experimenting, but uM would forcibly resort the rules on save which made that annoying.
>Very few sites work without fiddling with rules,
The only sites I fiddle with the rules of are the ones I visit regularly, which is not many. Over the 1.5 years that I've been using this method, I've only got 75 "web properties" in my list (github.com, github.io and githubusercontent.com count as one "GitHub" web property; so the number of domains is a bit higher). Going by git history, I do have to fiddle with one or more rules once a month on average.
For other sites, either they work well enough with default settings, or I give up and close them, or if I really need to know what they say I use a different browser. For this other browser I never log in to anything, and have it configured to delete all history by default on exit. (I've been pondering making this an X-forwarded browser running on a different source IP, but haven't bothered.)
>The UI of uMatrix is generally far superior to the mobile-friendly, simplified one of uBo.
To be clear, editing the rules does not use the "mobile-friendly, simplified" uBO UI. It refers to the giant text field you see in the uBO "Dashboard", specifically the "My filters" tab.
But yes, it'd be the best of all worlds if uBO gains the table UI as an alternative to the filters textfield. I imagine the problem is that static filters are technically much more powerful than what the uM-style rules do, so it'd require inventing a third kind of rule, which isn't great.
The big change they are suggesting is that the gtm code is no longer accessed via a predictable Google domain, rather it is requested through a subdomain of the parent site.