Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
HTTPS by default Yes
Content Security Policy Implemented, but has problems
Referrer Policy Referrers leaked
33 Cookies 33 (14 first-party; 19 third-party)
57 Third-party requests 57 requests to 36 unique hosts
Server location United States of America
Server IP address 66.175.240.138
Privacy Auditfor transunion.com
Completed on: December 19, 2019 Expires on: January 19, 2020
Find solutions for data privacy website compliance at www.osano.com
www.osano.com
HTTPS by default www.transunion.com uses HTTPS by default.
Osano's automated web browser reports the following:
StateState TitleTitle SummarySummary DescriptionDescription
Certificate valid and trustedThe connection to this site is using a valid, trusted server certificate issued by Entrust Certification Authority - L1K.
Resources all served securely All resources on this page are served securely.
Connection obsolete connection settingsThe connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_GCM.
More information about the site's TLS/SSL configuration:
•• Analyze www.transunion.com on SSL Labs
•• Observatory by Mozilla
•• Mozilla TLS Observatory
•• testssl.sh
To enable HTTPS on a website, a certificatecertificate for the domain needs to be installed on the web server. To get acertificate that browsers will trust, you need one issued by a trusted certificate authority (otherwise a visitor'sbrowser will show a warning).
Let's Encrypt is a non-profit certificate authority (sponsored by Mozilla, EFF, Cisco, Facebook and others) providingfree certificates through an easy, automated process. You can set it up yourself, or use one of the many hostingproviders who have built-in support for Let's Encrypt.
•• Get started with Let's Encrypt
•• Mozilla SSL/TLS Configuration Generator [for advanced users]
•• For checking the configuration of a server, try SSL Labs SSL Server Test (web), testssl.sh (CLI tool), Mozilla TLSObservatory (CLI tool) or Observatory by Mozilla (web).
www.osano.com
HTTP Strict Transport Security (HSTS) HSTS policy for https://www.transunion.com:max-age=15768000; includeSubDomains
PassPass TestTest
max-age set to at least 6 months
includeSubDomains — policy also applies to subdomains
preload — requests inclusion in preload lists (only relevant for base domain)
Base domain (https://transunion.com) HSTS status unknown.
HSTS is just an HTTP header. In its simplest form, the policy tells a browser to enable HSTS for that exact domainor subdomain, and to remember it for a given number of seconds (the policy is refreshed every time browser seesthe header again):
Strict-Transport-Security: max-age=31536000;
In its strongest and recommended formstrongest and recommended form, the HSTS policy includes all subdomainsall subdomains, and indicates a willingness tobe "preloaded" into browsers:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Note that includeSubDomains should be deployed at the base domain, i.e., https://example.com , nothttps://www.example.com . While we recommend the use of includeSubDomains , be veryvery careful, as it
means that all subdomainsall subdomains associated with the parent domain mustmust support HTTPS. (They do not have to eachhave their own HSTS policy.)
For a user to take advantage of HSTS, their browser does have to see the HSTS header at least once. This meansthat users are not protected until after their first successful secure connection to a given domain.
To solve this problem, the Chrome security team created an "HSTS preload list": a list of domains baked intoChrome that get Strict Transport Security enabled automatically, even for the first visit.
Firefox, Safari, Opera, and Edge also incorporate Chrome’s HSTS preload list, making this feature shared acrossmajor browsers.
The Chrome security team allows anyone to submit their domain to the list, provided it meets a few requirements.
•• HTTP Strict Transport Security [cio.gov]
•• HSTS Preload List Submission [hstspreload.org]
•• Strict-Transport-Security [mozilla.org]
Text adapted from the CIO Council's The HTTPS-Only Standard (public domain).
www.osano.com
Content Security Policy Content Security Policy set in HTTP header: default-src 'self' *.ifgza3.net *.ojrq.net*.tapad.com *.loggly.com *.rlcdn.com *.impactradius-event.com *.teads.tv
*.passage.ai wss://tars-prod.passage.ai *.evenfinancial.com *.taboola.com
*.quantcount.com *.transunion.com *.vols7feed.com *.addthis.co *.amazon-
adsystem.com *.youtube.com *.doubleclick.net *.company-target.com
*.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.adsrvr.org dmtry.com
*.dmtry.com *.quantserve.com *.bluekai.com *.facebook.com *.demandbase.com
doubleclick.net *.trustev.com *.yahoo.com *.atedra.com *.twitter.com *.bing.com
crwdcntrl.net c.rstg.io cdn.nextinsure.com *.jquery.com cloudfront.net
*.googleapis.com *.adnxs.com *.rlcdn.com investis.com adsrvr.org
sharethrough.com adroll.com yimg.com amazonaws.com *.fastclick.net
secure.leadback.advertising.com google-analytics.com *.ads-twitter.com
*.openx.net *.zencdn.net googleadservices.com gstatic.com bidswitch.net
*.media6degrees.com googletagmanager.com *.siteintercept.qualtrics.com
*.qualtrics.com; script-src 'self' *.impactradius-event.com *.teads.tv
*.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com
*.transunion.com *.mxpnl.com *.vols7feed.com *.addthis.com
*.googletagmanager.com *.optimizely.com *.pingdom.com *.cloudflare.com
*.googleadservices.com *.youtube.com *.doubleclick.net *.google-analytics.com
*.quantserve.com *.g.3gl.net *.eloqua.com *.crwdcntrl.net *.googleapis.com
*.investis.com *.amazonaws.com *.cloudfront.net *.nextinsure.com
*.lendingtree.com *.mediaplex.com *.demandbase.com *.jquery.com *.gstatic.com
*.bing.com *.3gl.net *.yourscoreonline.com *.gofreecredit.com
*.creditcheckingtoday.com *.naturaltracking.com *.credit.com *.facebook.com
*.yimg.com *.ytimg.com *.quora.com *.ensighten.com
*.d39se0h2uvfakd.cloudfront.net *.linkedin.com *.adsprotection.com
*.brightcove.com *.hotjar.com *.adroll.com *.brightcove.net *.en25.com
*.adsrvr.org *.abmr.net *.mathtag.com t2.rstg.io px.ads.linkedin.com
vjs.zencdn.net *.twitter.com iad-login.dotomi.com snap.licdn.com
sp.analytics.yahoo.com unpkg.com *.myfonts.net *.en25.com *.addthisedge.com
*.zencdn.com *.s3.amazonaws.com cdn.ampproject.org *.company-target.com
*.media6degrees.com *.ads-twitter.com cdn.mxpnl.com *.bizographics.com
*.pingdom.net *.mbww.com *.entrust.net *.trustev.com *.mathtag.com
*.googlesyndication.com *.google.com *.outbrain.com o1.qnsr.com *.facebook.net
cas.cluep.com *.quizgnome.com *.siteintercept.qualtrics.com *.qualtrics.com
*.pulseinsights.com blob: 'unsafe-eval' 'unsafe-inline'; child-src
*.evenfinancial.com *.transunion.com blob: *.crwdcntrl.net *.cdn.optimizely.com
*.addthis.com *.doubleclick.net *.lendingtree.com *.youtube.com *.hotjar.com
*.mediaplex.com *.optimizely.com *.brightcove.net s.amazon-adsystem.com
*.trustev.com *.mathtag.com *.qnsr.com *.facebook.com
*.siteintercept.qualtrics.com *.qualtrics.com; connect-src 'self' *.ifgza3.net
*.passage.ai wss://tars-prod.passage.ai *.taboola.com *.transunion.com
*.mixpanel.com *.optimizely.com *.youtube.com *.brightcovecdn.com *.pingdom.net
*.brightcove.com manifest.prod.boltdns.net airbrake.io *.company-target.comwww.osano.com
r.3gl.net s7.addthis.com *.herokuapp.com unity.cadreon.com app.trustev.com
*.hotjar.com wss://*.hotjar.com *.siteintercept.qualtrics.com *.qualtrics.com
'unsafe-eval'; media-src 'self' *.brightcove.com *.brightcovecdn.com
*.prod.boltdns.net *.transunion.com blob: f1.media.brightcove.com; img-src *
*.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com data:; font-src
data: *.transunion.com *.gstatic.com *.company-target.com
edge.api.brightcove.com r.3gl.net *.addthis.com *.herokuapp.com *.quora.com;
style-src * 'unsafe-eval' 'unsafe-inline'; frame-ancestors *.transunion.com;
Content Security Policy (CSP) implemented unsafely. This includes 'unsafe-inline' or data: insidescript-src , overly broad sources such as https: inside object-src or script-src , or not
restricting the sources for object-src or script-src .
PassPass TestTest InfoInfo
Clickjacking protection, using frame-ancestors
The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.
Deny by default, using default-src 'none'
Denying by default using default-src 'none' can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.
Restricts use of the <base> tag by using base-uri 'none' , base-uri 'self' , orspecific origins
The base tag can be used to trick your site into loading scripts from untrusted origins.
Restricts where <form> contents may be submitted by using form-action 'none' , form-action 'self' , or specific URIs
Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.
Blocks loading of active content over HTTP or FTP
Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code on your website. Restricting your policy and changing links to HTTPS can help prevent this.
Blocks loading of passive content over HTTP or FTP
This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)
'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.
www.osano.com
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Blocking inline styles can help prevent attackers from modifying the contents or appearance of yourpage. Moving styles to external stylesheets can also help make your site more maintainable.
Blocks execution of plug-ins, using object-src restrictions
Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.
PassPass TestTest InfoInfo
The recommended way to enable Content Security Policy is with the Content-Security-Policy HTTPheader, e.g.:
Content-Security-Policy: default-src 'self'
It can also be enabled with an HTML <meta> element:
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
CSP is a powerful mechanism that we strongly recommend. It allows for very fine-grained control. However,creating a good policy (or adjusting your site to work with a good policy) can take some time and effort. To makethis easier, it's possible to use CSP in report-only mode.
See the following pages for more information:
•• Content Security Policy (CSP) [developerz.mozilla.org]
•• Google Web Fundamentals: Content Security Policy [developers.google.com]
•• CSP Cheat Sheet [scotthelme.co.uk]
•• Report URI: Tools (CSP analyser, CSP builder) [report-uri.com]
•• CSP Evaluator [csp-evaluator.withgoogle.com]
•• CSP Level 2 specification [w3.org]
•• CSP Level 3 specification [w3.org]
•• Browser support [caniuse.com]
www.osano.com
Referrer Policy Referrer Policy not set. This means that the default value no-referrer-when-downgrade , leaking referrersin many situations, is used.
A referrer policy can easily be set with a <meta> element in your HTML. Simply include this inside the <head>section:
<meta name="referrer" content="no-referrer">
Alternatively, set the Referrer-Policy HTTP header, e.g.:
Referrer-Policy: no-referrer
If a referrer policy is delivered via both Referrer-Policy header and meta element, the meta element's policy takesprecedence.
If multiple policy values are specified, the browser will use the last one, ignoring unknown values (fallback valuesshould thus appear first). Multiple values should be separated by commas, e.g.:
<meta name="referrer" content="no-referrer, same-origin">
Several policies are offered, such as origin (strips everything except the origin) and origin-when-cross-origin (sends full URL with same-origin requests, otherwise stripped). We recommend no-referrer , whichkills the referrer header entirely for all requests, no matter the destination; or same-origin , which kills thereferrer for third-party requests but not for requests to the same origin.
•• Referrer-Policy [developer.mozilla.org]
•• Referer header: privacy and security concerns [developer.mozilla.org]
•• Referrer Policy specification [w3.org]
•• Browser support [caniuse.com]
www.osano.com
Subresource Integrity (SRI) Subresource Integrity (SRI) not implemented, and external resources are loaded over HTTP or use protocol-relative URLs via src="//...".
The following third-party resources are not loaded using SRI:
TypeType URLURL
scripthttps://siteintercept.qualtrics.com/dxjsmodule/CoreModule.js?Q_CLIENTVERSION=
1.17.0&Q_CLIENTTYPE=web
scripthttps://siteintercept.qualtrics.com/dxjsmodule/CoreModule.js?Q_CLIENTVERSION=
1.17.0&Q_CLIENTTYPE=web
scripthttps://zn74cvbyxcewl8l2z-transunioncxusa.siteintercept.qualtrics.com/WRSiteI
nterceptEngine/?Q_ZID=Z...
script https://zn8i03elsrj8ujesh-transunioncxusa.siteintercept.qualtrics.com/WRSiteI
nterceptEngine/?Q_ZID=Z...
scripthttps://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1ol6&e
vents=%5B%5B%22pageview...
script //assets.transunion.com/resources/js/personalizedBanner.js
script //assets.transunion.com/resources/js/immersive.js
script //assets.transunion.com/resources/js/tu-main.js
script //assets.transunion.com/resources/js/lib/min/slick.min.js
script //assets.transunion.com/resources/js/TuFontsCounter.js
script //assets.transunion.com/resources/js/validation.js
script //assets.transunion.com/resources/js/lib/min/jquery.visible.min.js
script //assets.transunion.com/resources/js/lib/min/handlebars.min.js
script //assets.transunion.com/resources/js/lib/min/jquery.touchSwipe.min.js
script //assets.transunion.com/resources/js/lib/min/additional-methods.min.js
script //assets.transunion.com/resources/js/lib/min/jquery.validate.min.js
www.osano.com
script //assets.transunion.com/resources/js/lib/min/bootstrap.min.js
script //assets.transunion.com/resources/js/lib/min/jquery.min.js
script https://script.hotjar.com/modules.7b8376ee918863f83692.js
scripthttps://googleads.g.doubleclick.net/pagead/viewthroughconversion/945968994/?r
andom=1576775665372&cv=...
css//assets.transunion.com/resources/transunion/css/consumer/orphan/homebuttonfi
x.css
css//assets.transunion.com/resources/transunion/css/consumer/orphan/ppc/home-alt
.css
css //assets.transunion.com/resources/css/main-isobar.css
css //assets.transunion.com/resources/css/lib/slick.css
css //assets.transunion.com/resources/css/tu-main.css
css //assets.transunion.com/resources/css/tu-font-awesome.css
css //assets.transunion.com/resources/css/lib/bootstrap.min.css
css //assets.transunion.com/resources/css/lib/jquery-ui.css
script //assets.transunion.com/resources/js/lib/min/modernizr.min.js
script https://cdn.optimizely.com/js/4242406432.js
script //www.googletagmanager.com/gtm.js?id=GTM-T8HG9X4
script //www.googleadservices.com/pagead/conversion_async.js
script //static.hotjar.com/c/hotjar-949432.js?sv=5
script https://connect.facebook.net/en_US/fbevents.js
script https://connect.facebook.net/signals/config/871078119587868?v=2.9.15&r=stable
TypeType URLURL
www.osano.com
script //bat.bing.com/bat.js
script //cdn.taboola.com/libtrc/unip/1193436/tfa.js
script //static.ads-twitter.com/uwt.js
script https://hello.myfonts.net/count/2ca963
script https://scripts.demandbase.com/YZhT3gW1.min.js
script https://www.google-analytics.com/analytics.js
script https://www.google-analytics.com/plugins/ua/linkid.js
TypeType URLURL
SRI can be used with script and link elements. To enable SRI on an element, you need to addintegrity and crossorigin attributes to it.
integrity should contain integrity metadata: a string describing the cryptographic hash function used(currently sha256, sha384, or sha512), followed by a dash, followed by the base64-encoded hash of the file.
crossorigin must be set to anonymous for third-party resources when using SRI. This has to do with CORS.
For example, given the file https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js, we can calculate theSHA384 hash:
$ openssl dgst -sha384 -binary jquery.min.js | openssl base64 -A
tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT
The correct HTML code should then be:
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"
integrity="sha384-
tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT"
crossorigin="anonymous"></script>
When the browser sees this element, it will download jquery.min.js , calculate the SHA384 hash, compare itto the hash in the integrity attribute, and only run the script if the hashes match. For example, if someonewere to modify jquery.min.js on the remote server after we calculcated the original hash, Firefox wouldrefuse to run the script and you'd see this in the browser console:
None of the “sha384” hashes in the integrity attribute match the content of the
subresource.
To make all this easier, you can use Mozilla's SRI Hash Generator.
•• Subresource Integrity [developer.mozilla.org]
•• Protecting your embedded content with subresource integrity (SRI) [troyhunt.com]
•• Subresource Integrity specification [w3.org]www.osano.com
HTTP headersPassPass HeaderHeader ValueValue ResultResult
X-Content-Type-Options nosniff X-Content-Type-Options header set to "nosniff"
X-Frame-OptionsSAMEORIGIN
X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive
X-XSS-Protection1;mode=block
X-XSS-Protection header set to "1; mode=block"
To enable these headers you'll need to add them to your web server configuration. This is a simple change.Exactly how you do it depends on what server you use. This page [developer.mozilla.org] has configurationexamples for Apache, Nginx and IIS.
X-Content-Type-Options should be set to nosniff , which is the only valid value.
X-Frame-Options can be set to deny (page can never be loaded in a frame), sameorigin (page can onlybe loaded in a frame only if the origin is the same), or allow-from <URI> (page can only be loaded in aframe on a page on the specified origin).
X-XSS-Protection should be set to 1 or 1; mode=block .
www.osano.com
CookiesFirst-party cookies (14)
DomainDomain NameName ValueValue ExpiresExpiresHttp OHttp O
nlynlySecureSecure
Same Same SiteSite
www.transunion.com
JSESSIONID535BD3098F9F3521EB19...
session
.transunion.comoptimizelyEndUserId
oeu1576775664792r0.4...
2020-06-16 17:14:24Z
www.transunion.com
tm_engage true2019-12-26 17:14:24Z
.transunion.com _gcl_au1.1.1334588532.15767...
2020-03-18 17:14:25Z
.transunion.com TM_Visit not-set2019-12-19 17:44:25Z
.transunion.com TM_VDetail direct||not-set||2019-12-19 17:44:25Z
.transunion.com TM_VEvents 000000002019-12-19 17:44:25Z
.transunion.com _fbpfb.1.1576775665526.1...
2020-03-18 17:14:26Z
.transunion.com _hjidba3eaa76-3d36-4899-9...
2020-12-09 17:14:25Z
.transunion.com _gaGA1.2.611973946.1576...
2021-12-18 17:14:25Z
.transunion.com _gidGA1.2.333414249.1576...
2019-12-20 17:14:25Z
.transunion.com_dc_gtm_UA-2854562-5
12019-12-19 17:15:25Z
www.transunion.com
_hjIncludedInSample
1 session
www.transunion.com
QSI_HistorySession
https%3A%2F%2Fwww.tr...
session
www.osano.com
Third-party cookies (19)
DomainDomain NameName ValueValue ExpiresExpiresHttp OHttp O
nlynlySecureSecure
Same Same SiteSite
trc.taboola.comtaboola_session_id
v2_13418af8dafcd1de7...
session
.bing.com MUID02F9E23F15EA6B1A1816...
2021-01-12 17:14:26Z
.bat.bing.com MR 02020-06-16 17:14:26Z
bat.bing.com MUIDB3F33BD824D5067FF1035...
2021-01-12 17:14:26Z
.yahoo.com B53go601evnbvh&b=3&s=...
2020-12-18 17:14:25Z
.doubleclick.net IDEAHWqTUm8fRNrce1oz9CK...
2021-12-18 17:14:25Z
.taboola.com t_gid317edc57-3f2f-4785-b...
2020-12-18 17:14:25Z
.twitter.compersonalization_id
"v1_QC0oLd1Nr6pa7NBB...
2021-12-18 17:14:26Z
.bidr.io bitoAAUC4U6792AAADkK7Xxq...
2021-01-17 12:14:26Z
.bidr.io bitoIsSecure ok2021-01-17 12:14:26Z
.company-target.com
tuuid4831d9f9-6dec-4c1d-a...
2021-12-18 17:14:26Z
.company-target.com
tuuid_lu 15767756652021-12-18 17:14:26Z
members.transunion.ca
TUCILBCookie!mLDulblljDZ4QsH2dvb...
session
r.3gl.net ua 20,84,76,56,0,0,0,02019-12-19 18:14:26Z
www.osano.com
r.3gl.net gi0F,1,224,46,4059,0,0...
2019-12-20 17:14:26Z
.facebook.com fr0klRSbCrykILNopTO..B...
2020-03-18 17:14:26Z
.siteintercept.qualtrics.com
__cfduiddc535737dc91c5dd0e74...
2020-01-18 17:14:26Z
( Lax )
.atdmt.com AA003AXzTF6RZZeNVNxLCpaQv...
2020-03-18 17:14:26Z
.atdmt.com ATN1.1576775666.1741176...
2021-12-18 17:14:26Z
DomainDomain NameName ValueValue ExpiresExpiresHttp OHttp O
nlynlySecureSecure
Same Same SiteSite
Http OnlyHttp Only means that the cookie can only be read by the server, and not by JavaScript on the client. This canmitigate XSS (cross-site scripting) attacks.
SecureSecure means that the cookie will only be sent over a secure channel (HTTPS). This can mitigate MITM (man-in-the-middle) attacks.
Same SiteSame Site can be used to instruct the browser to only send the cookie when the request is originating from thesame site. This can mitigate CSRF (cross-site request forgery) attacks.
GDPR: Rec. 60, Rec. 61, Rec. 69, Rec. 70, Rec. 75, Rec. 78, Art. 5.1.a, Art. 5.1.c, Art. 5.1.e, Art. 21, Art. 22, Art. 32.
e-PD (2002/58/EC). Rec. 24, 25, Art. 5.2.
e-PD revised (2009/136/EC). Rec. 65, 66.
First-party cookiesFirst-party cookies are placed by the web site owner in some register on their visitors' device in order to be able tore-identify the visitor on subsequent page loads. First-party cookies can be related to technical features on a website (such as remembering language settings or the contents of a shopping basket), or related to commercialfeatures of the web site owners' activities (such as being able to trace a visitors' behaviour over the duration oftheir visit, or over much longer time periods, often for years, in order to be able to serve advertisements to theusers or to get usage statistics to guide later changes to the web site that are envisaged to make the web sitemore attractive to recurring users). First-party cookies may come from services provided by the web site owner(language settings in a Content Management System) or from services used by the web site owner (analyticstools).
Third-party cookiesThird-party cookies are placed by a service affiliated with the web site owner on the devices of visitors to the website in order to be able to re-identity the visitor on subsequent page loads, or across different web sites. Third-party cookies are typically related to commercial features of a web site owners' activities, usually advertising, butmay also relate to technical features in scripts used by a web site (such as language settings).
Storing information or gaining access to information stored in the visitors' devices, for instance in the form ofcookies, has been subject to sui generis legislation in the European Union (ePD, Art. 5.3). These sui generis lawshave tried to make a distinction between information stored to support technical features and information storedto support commercial features. In practice, poor enforcement of these rules has made the legal landscape
www.osano.com
unclear. Because there exists no legal duty for citizens to receive better targeted advertisement, nor a legal dutyfor citizens to assist web developers in improving web sites, it's doubtful that a legal basis exists for storinginformation to support commercial features without the consent of the web visitor (GDPR Art. 7). It is argued thatthe legitimate interests of a web site owner (Art. 6.1.f, Art. 6.4) may nevertheless enable them to subject a visitor totargeted ads or cause a visitor to assist the web developers. Then there must exist relevant and appropriaterelationship between the web visitor and the web site owner in situations (GDPR Rec. 47), which calls intoquestion the use of third-party service first-party cookies. In either case, if the legitimate interest legal basis forprocessing is invoked, adequate security measures must be undertaken (GDPR Art. 32).
Particular care must be taken with regards to the period of storage (GDPR Art. 5.1.e). While it is technically easy fora web site owner to set the duration of a information stored in the form of cookies to a long period time, theprinciple of storage limitation implies a balancing act between the interest of tracking a visitors' behaviour andthe interest of the visitor to keep their behaviour private. It's been established that a reasonable storage perioddoes not exceed one year.
www.osano.com
localStorage localStorage used:
KeyKey ValueValue
1193436:session-data v2_13418af8dafcd1de7fc8974d0fc95ce6_317edc57-3f2f-...
__CGu:8307841423775361000,s:1546992973,t:1576775665882...
_hjid ba3eaa76-3d36-4899-931b-1f2f08c0967e
eng_mt {"ver":27,"sessionStartTime":1576775665334,"scroll...
optimizely_data$$oeu1576775664792r0.43684453882158... null
optimizely_data$$oeu1576775664792r0.43684453882158... null
optimizely_data$$oeu1576775664792r0.43684453882158... {}
optimizely_data$$oeu1576775664792r0.43684453882158... []
optimizely_data$$oeu1576775664792r0.43684453882158... {"lastSessionTimestamp":1576775664801,"sessionId":...
optimizely_data$$oeu1576775664792r0.43684453882158... {}
optimizely_data$$oeu1576775664792r0.43684453882158... {}
optimizely_data$$oeu1576775664792r0.43684453882158... {"profile":{"visitorId":"oeu1576775664792r0.436844...
optimizely_data$$pending_events {}
taboola global:user-id 317edc57-3f2f-4785-baea-6fb9d9f2b92c-tuct4f53571
www.osano.com
Third-party requests5757 requests (57 secure, 0 insecure) to 3636 unique hosts.
A third-party request is a request to a domain that's not transunion.com or one of its subdomains.
HostHost IPIPCountrCountr
yyClassificationClassification
stats.g.doubleclick.net
https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&t...
172.217.197.157
USDisconnect (Google)
static.hotjar.com
https://static.hotjar.com/c/hotjar-949432.js?sv=5
147.75.39.63
NL Analytics (Hotjar)
match.prod.bidr.io
https://match.prod.bidr.io/cookie-sync/demandbase?_bee_ppp=1
https://match.prod.bidr.io/cookie-sync/demandbase
52.203.83.158
US
segments.company-target.com
https://segments.company-target.com/validateCookie?vendor=choca&user_i...
https://segments.company-target.com/log?vendor=choca&user_id=AAUC4U679...
13.249.44.81
USAnalytics (Demandbase)
g.3gl.net
https://g.3gl.net/jp/320/v3.2.0/M
93.184.216.38
US
www.googletagmanager.com
https://www.googletagmanager.com/gtm.js?id=GTM-T8HG9X4
172.217.12.232
USDisconnect (Google)
www.osano.com
siteintercept.qualtrics.com
https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...
https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...
https://siteintercept.qualtrics.com/dxjsmodule/CoreModule.js?Q_CLIENTV...
https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...
https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...
104.17.209.240
US
analytics.twitter.com
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=...
104.244.42.131
USDisconnect (Twitter)
sp.analytics.yahoo.com
https://sp.analytics.yahoo.com/spp.pl?a=10000&.yp=10014220&ec=TUHomepa...
https://sp.analytics.yahoo.com/spp.pl?a=10001064297885&.yp=415148&et=T...
https://sp.analytics.yahoo.com/spp.pl?a=10000&.yp=10079906
76.13.32.146
US
connect.facebook.net
https://connect.facebook.net/signals/config/871078119587868?v=2.9.15&r...
https://connect.facebook.net/en_US/fbevents.js
69.171.250.25
USDisconnect (Facebook)
googleads.g.doubleclick.net
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/94596...
172.217.7.194
USDisconnect (Google)
api.company-target.com
https://api.company-target.com/api/v2/ip.json?referrer=&page=https%3A%...
13.249.44.72
USAnalytics (Demandbase)
HostHost IPIPCountrCountr
yyClassificationClassification
www.osano.com
cx.atdmt.com
https://cx.atdmt.com/?c=9239934406948647794&f=AYxZPDnFRUTCTIQv4DUYG8OK...
31.13.65.2 IEAdvertising (Microsoft)
ad.doubleclick.net
https://ad.doubleclick.net/activity;dc_pre=CI3prIubwuYCFQd_wQodbpYCTw;...
https://ad.doubleclick.net/activity;dc_pre=CMDjrIubwuYCFUtrwQodbvAPcQ;...
https://ad.doubleclick.net/activity;src=8524752;type=rmkt01;cat=trarm0...
https://ad.doubleclick.net/activity;src=4395963;type=TUIVM0;cat=Trans0...
172.217.9.198
USDisconnect (Google)
adservice.google.com
https://adservice.google.com/ddm/fls/z/dc_pre=CI3prIubwuYCFQd_wQodbpYC...
https://adservice.google.com/ddm/fls/z/dc_pre=CMDjrIubwuYCFUtrwQodbvAP...
172.217.7.194
US
cdn.optimizely.com
https://cdn.optimizely.com/js/4242406432.js
23.195.249.8
USContent (Optimizely)
cdn.taboola.com
https://cdn.taboola.com/libtrc/unip/1193436/tfa.js
151.101.202.2
USAdvertising (Taboola)
logx.optimizely.com
https://logx.optimizely.com/v1/events
34.233.232.157
USContent (Optimizely)
www.facebook.com
https://www.facebook.com/tr/?id=871078119587868&ev=Microdata&dl=https%...
https://www.facebook.com/tr/?id=871078119587868&ev=PageView&dl=https%3...
31.13.65.36 IEDisconnect (Facebook)
HostHost IPIPCountrCountr
yyClassificationClassification
www.osano.com
r.3gl.net
https://r.3gl.net/hawklogserver/r.p
173.231.186.87
US
scripts.demandbase.com
https://scripts.demandbase.com/YZhT3gW1.min.js
13.249.44.77
USAnalytics (Demandbase)
a4242406432.cdn.optimizely.com
https://a4242406432.cdn.optimizely.com/client_storage/a4242406432.html
104.119.29.102
USContent (Optimizely)
members.transunion.ca
https://members.transunion.ca/sites/tucan_en/assets/images/analytics.g...
74.117.129.102
US
hello.myfonts.net
https://hello.myfonts.net/count/2ca963
152.199.24.107
US
t.co
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1ol6&events=%5B%...
104.244.42.5
US
www.googleadservices.com
https://www.googleadservices.com/pagead/conversion_async.js
172.217.9.194
USDisconnect (Google)
www.google.com
https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-285...
https://www.google.com/pagead/1p-user-list/945968994/?random=157677566...
172.217.13.228
US
vars.hotjar.com
https://vars.hotjar.com/box-b736908ce6b0e933fad3a2e45df61b38.html
147.75.195.51
US Analytics (Hotjar)
static.ads-twitter.com
https://static.ads-twitter.com/uwt.js
151.101.248.157
USDisconnect (Twitter)
HostHost IPIPCountrCountr
yyClassificationClassification
www.osano.com
zn74cvbyxcewl8l2z-transunioncxusa.siteintercept.qualtrics.com
https://zn74cvbyxcewl8l2z-transunioncxusa.siteintercept.qualtrics.com/...
104.17.209.240
US
trc.taboola.com
https://trc.taboola.com/1193436/log/3/unip?en=page_view&tim=1576775665...
https://trc.taboola.com/1193436/trc/3/json?tim=1576775665337&data=%7B%...
151.101.202.2
USAdvertising (Taboola)
www.google-analytics.com
https://www.google-analytics.com/collect?v=1&_v=j79&a=1324264946&t=pag...
https://www.google-analytics.com/plugins/ua/linkid.js
https://www.google-analytics.com/analytics.js
172.217.15.110
USDisconnect (Google)
in.hotjar.com
https://in.hotjar.com/api/v2/client/sites/949432/visit-data?sv=5
https://in.hotjar.com/api/v2/client/sites/949432/visit-data?sv=5
https://in.hotjar.com/api/v2/client/sites/949432/visit-data?sv=5
52.50.117.83
IE Analytics (Hotjar)
zn8i03elsrj8ujesh-transunioncxusa.siteintercept.qualtrics.com
https://zn8i03elsrj8ujesh-transunioncxusa.siteintercept.qualtrics.com/...
104.17.209.240
US
script.hotjar.com
https://script.hotjar.com/modules.7b8376ee918863f83692.js
147.75.197.65
JP Analytics (Hotjar)
bat.bing.com
https://bat.bing.com/action/0?ti=4020018&Ver=2&mid=ec549770-3c44-94cb-...
https://bat.bing.com/bat.js
204.79.197.200
USContent (Microsoft)
HostHost IPIPCountrCountr
yyClassificationClassification
GDPR: Rec. 69, Rec. 70, Art. 5.1.b-c, Art. 25.
www.osano.com
Server locationThe server www.transunion.comwww.transunion.com (66.175.240.138) appears to have been located in United States of AmericaUnited States of Americaduring our test.
www.osano.com
Raw headersHeaderHeader ValueValue
accept-ranges none
cache-control no-store, no-cache, must-revalidate, max-age=0
connection Keep-Alive
content-encoding gzip
content-language en
www.osano.com
content-security-policy
default-src 'self' *.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com *.impactradius-event.com *.teads.tv *.passage.ai wss://tars-prod.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com *.transunion.com *.vols7feed.com *.addthis.co *.amazon-adsystem.com *.youtube.com *.doubleclick.net *.company-target.com *.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.adsrvr.org dmtry.com *.dmtry.com *.quantserve.com *.bluekai.com *.facebook.com *.demandbase.com doubleclick.net *.trustev.com *.yahoo.com *.atedra.com *.twitter.com *.bing.com crwdcntrl.net c.rstg.io cdn.nextinsure.com *.jquery.com cloudfront.net *.googleapis.com *.adnxs.com *.rlcdn.com investis.com adsrvr.org sharethrough.com adroll.com yimg.com amazonaws.com *.fastclick.net secure.leadback.advertising.com google-analytics.com *.ads-twitter.com *.openx.net *.zencdn.net googleadservices.com gstatic.com bidswitch.net *.media6degrees.com googletagmanager.com *.siteintercept.qualtrics.com *.qualtrics.com; script-src 'self' *.impactradius-event.com *.teads.tv *.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com *.transunion.com *.mxpnl.com *.vols7feed.com *.addthis.com *.googletagmanager.com *.optimizely.com *.pingdom.com *.cloudflare.com *.googleadservices.com *.youtube.com *.doubleclick.net *.google-analytics.com *.quantserve.com *.g.3gl.net *.eloqua.com *.crwdcntrl.net*.googleapis.com *.investis.com *.amazonaws.com *.cloudfront.net *.nextinsure.com *.lendingtree.com *.mediaplex.com *.demandbase.com *.jquery.com *.gstatic.com *.bing.com *.3gl.net *.yourscoreonline.com *.gofreecredit.com *.creditcheckingtoday.com *.naturaltracking.com*.credit.com *.facebook.com *.yimg.com *.ytimg.com *.quora.com *.ensighten.com *.d39se0h2uvfakd.cloudfront.net *.linkedin.com *.adsprotection.com *.brightcove.com *.hotjar.com *.adroll.com *.brightcove.net *.en25.com *.adsrvr.org *.abmr.net *.mathtag.com t2.rstg.io px.ads.linkedin.com vjs.zencdn.net *.twitter.com iad-login.dotomi.com snap.licdn.com sp.analytics.yahoo.com unpkg.com *.myfonts.net *.en25.com *.addthisedge.com *.zencdn.com *.s3.amazonaws.com cdn.ampproject.org *.company-target.com *.media6degrees.com *.ads-twitter.com cdn.mxpnl.com *.bizographics.com *.pingdom.net *.mbww.com *.entrust.net *.trustev.com *.mathtag.com *.googlesyndication.com *.google.com *.outbrain.com o1.qnsr.com *.facebook.net cas.cluep.com *.quizgnome.com *.siteintercept.qualtrics.com *.qualtrics.com *.pulseinsights.com blob: 'unsafe-eval' 'unsafe-inline'; child-src *.evenfinancial.com *.transunion.com blob: *.crwdcntrl.net *.cdn.optimizely.com *.addthis.com *.doubleclick.net *.lendingtree.com *.youtube.com *.hotjar.com *.mediaplex.com *.optimizely.com *.brightcove.net s.amazon-adsystem.com *.trustev.com *.mathtag.com *.qnsr.com *.facebook.com *.siteintercept.qualtrics.com *.qualtrics.com; connect-src'self' *.ifgza3.net *.passage.ai wss://tars-prod.passage.ai *.taboola.com *.transunion.com *.mixpanel.com *.optimizely.com *.youtube.com *.brightcovecdn.com *.pingdom.net *.brightcove.com manifest.prod.boltdns.net airbrake.io *.company-target.com r.3gl.net s7.addthis.com *.herokuapp.com unity.cadreon.com app.trustev.com *.hotjar.com wss://*.hotjar.com *.siteintercept.qualtrics.com *.qualtrics.com 'unsafe-eval'; media-src 'self' *.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.transunion.com blob: f1.media.brightcove.com; img-src * *.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com data:; font-src data: *.transunion.com *.gstatic.com *.company-target.com edge.api.brightcove.com r.3gl.net *.addthis.com *.herokuapp.com *.quora.com; style-src * 'unsafe-eval' 'unsafe-inline'; frame-ancestors *.transunion.com;
content-type text/html;charset=UTF-8
date Thu, 19 Dec 2019 17:14:24 GMT
keep-alive timeout=10, max=89
pragma no-cache
HeaderHeader ValueValue
www.osano.com
server Transunion
set-cookie JSESSIONID=535BD3098F9F3521EB1904EA7027CC3D; Path=/iw-runtime; Secure; HttpOnly
strict-transport-security max-age=15768000; includeSubDomains
transfer-encoding chunked
vary Accept-Encoding
x-content-type-options nosniff
x-frame-options SAMEORIGIN
x-xss-protection 1; mode=block
HeaderHeader ValueValue
www.osano.com