This is what I get on a new search page via https only -
Unique IDs about your web browsing habits have been insecurely sent to third parties.
195=c71jmkaox1byl8owjz73-g4wvqoXXXXXXXXXXXXXXXXXXXXXXXX3a5jilljyp09bdtj0ogdfbasworfyj8gqiaelkpaakuwchf7qvapelhfpsrjlrnpx-mgcil7a1scql6kivxmyyer2qjjaw6u02zuziy4zoqa2tdtXXXXXXXXXXXXXXXXXXXX7koaa2oaqpsi8ejxjwvrx_s08jyohkle9dghuvy805l9go
& -apis.google.com
Is this a phishing attack via some extension. Did reset the browser settings, and this did not cure it?
In the console I see:
A cookie associated with a cross-site resource at h loval-ntp.html:1 ttp://google.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
content.js:21 Uncaught TypeError: Illegal invocation: Function must be called on an object of type StorageArea
at content.js:21
Also consider info here:
https://securitytrails.com/list/apex_domain/ww1.sinaimg.cn.w.alikunlun.com (Alibaba advertising)
Anyone,
polonus
Seems there is 14% of tracking being blocked on: local-ntp.chrome-search-scheme
that is for -play.google.com as xmlhttprequest with 2 requests blocked
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT (-https://play.google.com/log?format=json&hasfast=true)
No ads and security threats found.
Other extensions meet with an unsupported uri-error there, so they have no access.
Also
“script-src ‘report-sample’ ‘nonce-7aFDVgfk0JW5NVKIzgFdbA’ ‘unsafe-inline’”.
window.console.error @ VM14:37
userscript.html?id=2e3eadc0-39e9-4512-bab0-1e350c99d118:2 EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘report-sample’ ‘nonce-7aFDVgfk0JW5NVKIzgFdbA’ ‘unsafe-inline’”.
at new Function (<anonymous>)
at ka (<anonymous>:53:143)
at Window.enhance [as setTimeout] (<anonymous>:57:66)
at Window.tms_2e3eadc0_39e9_4512_bab0_1e350c99d118 (userscript.html?id=2e3eadc0-39e9-4512-bab0-1e350c99d118:763)
at <anonymous>:3:75
at userscript.html?id=2e3eadc0-39e9-4512-bab0-1e350c99d118:2
at userscript.html?id=2e3eadc0-39e9-4512-bab0-1e350c99d118:3
at Object.window.__u__15099292.697225481 (userscript.html?id=2e3eadc0-39e9-4512-bab0-1e350c99d118:764)
at <anonymous>:3:75</blockquote>
3 requests from -apis.google.com connect unhindered, but there I blocked unencrypted requests with HTTPS Everywhere,
other tools do not work on internal browser page.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)