When using WebPageTest it is possible to use custom scripts to set cookies. Is it possible to do the same on PageSpeed Insights or lighthouse?
For example in the European Union you may want to set cookies to disable the cookie consent popup which will not appear for repeat users who have already consented to the website's cookie policy.
Page Speed Insights
Page Speed Insights (PSI) is designed for simulating a first time user to the site, so your cookies popup would always show.
It does not cache cookies or anything else. There is no way to send cookies to PSI.
Lighthouse in the browser
If you are using Lighthouse in the browser simply untick the "Clear Storage" option in the top bar (you may have to click the gear icon top right to reveal this) and at that point run the page twice (once to set the cache), cookies will be stored and you will record a run with cached images, files etc.
If you wanted to create a run where cookies are stored but nothing else is cached you could go to the application tab in developer tools and remove everything other than the cookies.
However as this is not indicative of a real world scenario I do not see the benefit and is only included as it answers the original question.
Lighthouse CLI + Puppeteer
Your final option for complete control would be to run Lighthouse CLI on your own machine.
The source code for Lighthouse is available on GitHub, takes a short while to set up, installing chromium etc. but it is worth it.
At that point you have more control, if you partner it with Puppeteer then you have all the control to set individual cookies etc.
However it does appear that you should be able to pass cookies directly to Lighthouse via config according to this thread, but it might not work and ultimately ends up recommending puppeteer. Perhaps that is a feature that will get improved upon soon.
Related
Does anybody have the same problem? New extension with verified domain and enabled inline install after clicking on button with chrome.webstore.install();cause redirect to chromestore with get parameter ?utm_source=inline-install-disabled
I recently received the following email from Chrome Web Store Developer Support:
In addition to the existing extension-level protection, our expanded
enforcement will also use machine learning to evaluate each inline
installation request for signals of deceptive, confusing, or malicious
ads or webpages. When we find those signals, we'll selectively disable
that one inline installation request and redirect the user to the
extension's page on the Chrome Web Store. This selective enforcement
will not impact inline installation of that extension from other,
non-deceptive sources. Developers will not be notified of this
enforcement, as it happens on an as-needed basis.
Are you serving any ads on your site or doing anything else that might be perceived as a grey area by ML?
If you're being blatantly deceptive, it would appear that you've been found out. If not, and you're genuinely confused, a possible first step would be to scrape your site of any ads or injected content altogether to see if you're able to regain Google's trust.
I am working on a website related to physically/psychologically abused person.
There is an emergency exit button available all time so the user can click on it before the "aggressive" person enter the room where the computer is located.
When the user click on the emergency button, the user is automatically redirected to Google with a query like "cooking apple pie" (this is an example).
Also, we would like to hide our website from the browser history in case the aggressive person check the history of the abused person. I think this cannot be done technically.
At least, can we generate fake browsing history to justify to the aggressive person the time that the user was on our website?
I tried multiple things to simulate a "browsing" like using an iframe or an ajax query to another website but none populate the browser history.
Is this can be done?
Thank you for your input!
I think you may be focusing too much on the browser and computer that you do not control and not enough on the content and the server that you do control. How about taking a different approach? Why not generate the pages for the user on the fly? The links are only good once. If you click on the home button (your escape key) and the aggressive person looks in the history the attempt to access them a second time could be made to display the weather or lottery results or something innocuous, Focus on what you have control over.
Useful Technical Details
Removing/Preventing Back Button Click History
You can allow the user to browse throughout a webpage without building up a history trail on the back button by having them click exclusively on javascript: links. This would still not remove any of the visited websites from their full browser history, so it's not a full solution.
Here's an example HTML JavaScript link:
CLICK HERE TO ESCAPE!
If this is acceptable, you could build an inoffensive homepage from which the user could access the site that would use JavaScript to send them to the real website. Every link on that new website would have to be a javascript link. Disadvantages of this would be that they would no longer be able to use the back button to navigate and that JavaScript is 100% required for the site to function.
Sanitized History
Make sure you have inoffensive titles and icons for any pages in the site so if the user does not delete their browser history they will not grab the attention of the third party.
Preventing Access to Protected Content
One option you have is to disguise your website as something else by having the user log in before they are allowed to access any of the content. You could save their session/login data in such a way that it is cleared if they hit an escape button it is erased or reset. As part of the login page, you could give users an alternate password to type in that would redirect them to fake content if their abuser becomes suspicious enough to demand they log in.
The session/login information should never save between browser sessions and always have a short expiration period, to further reduce the chances of the abuser gaining access to the website.
Disguising the Site
Considerations
If you choose to disguise the site either on the homepage or behind a "fake" login, be very careful to choose something that makes sense and would not arouse suspicion or interest. You don't want the fake page to be some sort of game or anything that might pique the third party's interest.
You also don't want it to look so boring or mundane that the original user would be hard-pressed to explain their possibly frequent visits. It shouldn't be anything so specific that the third party would think twice about the original user visiting it though. For example, it might be suspicious if someone who does not enjoy the great outdoors were to be visiting a page on mountain biking.
It also can't do something like just redirect them to Google without explaining the fact that they had to log in to access it.
General Advice
Private Browsing
Multiple sources have suggested either educating your target audience in how to use IE's InPrivate Browsing mode, Firefox's Private Browsing mode, or Chrome's Incognito mode.
There unfortunately does not appear to be a way to prevent the browser from keeping the current page in its browsing history through JavaScript. It's possible there might be some sort of plug-in or third-party control which would enable this, but it's probably just easier to get your users to use a private browsing mode.
Clearing History
Clearing a user's web history would not be possible since browsers restrict websites from accessing or altering data on the user's computer directly. Since the user's browser history is part of this data it would be a security issue if any website could clear the history.
You should provide instructions to your users for pruning or clearing their browser history, whether on the website itself before they enter, or through whatever resource you showed them how to access your website.
Generating a Fake History
If you need to generate a fake list of visited websites, you can always create new tabs/windows for the users (or possibly iframes) at timed intervals with JavaScript, but the user would have to disable their popup blocker for this to take effect.
Further Reading
Here is a helpful article on creating a useful Quick Disguised Exit From A Website. This forum thread that I found it on also had some useful information, but it's likely you've already seen it.
At least, can we generate fake browsing history to justify to the aggressive person the time that the user was on our website?
Have you cosidered turning it around?
What if technically all your pages and its content are about something else. So it is the content you want to hide that's loaded in a special way, making it easier for you to avoid having it in the browser history.
So then it becomes about knowing when to load/show the special content.
Above said, it's very important what #Frédéric Hamidi said:
Just keep in mind that if the "aggressive" person has control over that computer or the network, nothing can really prevent him/her from installing loggers on the machine or analyzing network traffic.
IE's InPrivate Browsing mode, Firefox's Private Browsing mode, and Chrome's Incognito mode
I would recommend this to prevent the abuser from finding the secret site in the browsing history.
Also, opening a social networking site and letting the browsing history collect that would be an excellent and believable excuse for the time spent on the computer.
So I have a Chrome extension which uses Google Analytics for tracking various things. One of those things is the extension version, set using a custom variable every time the background page is started. Now my question is: Which scope should I use, visitor or session level? I can't figure it out based on Google's documentation, and no one else seems to have had this issue. I'm not even sure there's any difference, or maybe it's just something like "it's bad practice to overwrite visitor level variables".
Chrome extensions are have some very specific characteristics and the answer to this question is not applicable to anything that is not a Chrome extension.
From your question I believe you do some basic tracking on your background page, but I assume you also do so on a popup or you fire an event if the user do some action with your extension.
In that case I'll strongly suggest that you use a Visitor Level Custom var.
The problem is that the background page is loaded only once, when the browser opens up, and it's like a tab that stays open and silent, possibly hosting some callback functions for events that may or may not happen.
Because of that once the visitor first loads your extension you'll see a pageview from you background page setting this custom var.
After that there may be a silent period where your extension doesn't track anything, this period can take hours, until hopefully the user interacts with your extensions and tracks additional data to analytics. When it finally happens chances are that over half an hour has passed since the backgroun page loaded. If that is true the visit (or session) that was started by the background page is already over. A visit with no activity for 30 min is closed by analytics. In that case that interaction will spawn a new visit.
If you set the Custom Var as a visit leve variable chances are that when you see interactions on the extension, these interactions won't have the custom var.
This approach has the bad side effect that if the version of your extension changes and the user doesn't reload the browser the version is not going to be updated, and it will be erroneously registered as te old version.
That's very unlikely. And the only way to fix it is to check the version of your app everytime the user does an interaction and set that custom var again. I believe that this is excessive and I don't do it in my extension. Still if you opt for it, it really doesn't matter if it's a visit level or visitor level custom var.
We're building a mobile-friendly site to work in tandem with our client's MOSS 2007 internet site. We need to be able to redirect users who hit the home page and are using a mobile device.
Our original intention was to add a custom control to the home page page layout that would detect the current user's device and redirect to the mobile site accordingly. We quickly realised that this would not work as we are using the Output Caching functionality provided by SharePoint/Asp.Net. This means that the detection code will only run for the first visitor to the home page until the cache expires.
Our next idea was to build a custom HTTP Module and process the detection there. However, we are finding that the Output Caching is not allowing that either. If the cache is set while a mobile device is visiting all browsers are subsequently redirected to the mobile site (until the cache expires).
If we turn off output caching it works just fine - but we cannot turn output caching off, especically for the home page. We did investigate Substitution (Donut) Caching but this is not working due to the fact we are filtering the Asp.Net response within another HTTP Module that tidies up the rendered HTML for XHTML compatiblity reasons. I've also experimented with the output cache profile by setting it to vary-by-header property to "User-Agent" but I am getting mixed results and am also concerned at the memory implications of caching multipel versions of pages (we already have memory issues now and then).
It's possible we could run the redirection code in JavaScript but then we risk not detecting a lot of devices that don't have JavaScript enabled. This is a government website so the usage of JavaScript has to abide by accessibility guidelines.
Does anyone have any other ideas as to how we can solve this issue. Has anyone done this before? Perhaps in a different way?
Hope you can help, thanks.
p.s. I have also asked this question on SharePoint.SE but wanted to get as many eyes on this as possible.
I would suggest you to try ISAPI filters
I've actually solved this one I think. I've pretty much followed this article here - http://msdn.microsoft.com/en-us/library/ms550239.aspx. We have updated the code in that article to build a cache key based on whether the current page is the home page, whether the current user is using a mobile device and whether or not a cookie exists forcing the user to the full site. I will probably write this up as a blog post. When I do I will update this answer providing a link.
Do browser plug-ins, such as the Yahoo toolbar or others, have the ability to set cookies on multiple domains as the user browses the web? Does the browser expose the necessary access to do this to a plug-in? If this varies across browsers, that would be helpful to know as well.
Thanks!
Cookies are stored in files and real plugins (i.e. ones using NPAPI rather than the browser's addon/extension engine) can read/write files. Hence, it's possible to do for any browser this way, although not really straightforward.
Firefox exposes cookies even to addons since there are cookie editor addons (that can edit cookie for any site).
Chrome/Chromium allows setting of cookies through "content scripts" that run in the context of a page (any page) - that's only in the beta branch so far, but soon to be in stable. However, the downside is that you might have to visit the site for it to work (you could fake that using iframes).
No idea about Opera.
The only one I have found that works quite well for creating/updating/viewing cookies is Firecookie