footprintdns.com: privacy

[sertonix]

Prerequisites

• [X] This is NOT a YouTube, Facebook or Twitch report.
• [X] I read and understand the policy about what is a valid filter issue.
• [X] I verified that this issue is not a duplicate. (Search here to find out.)
• [X] I forced an update of my filter lists. (Click the "Purge all caches" button while holding the 'Shift' key, then click the "Update now" button.)
• [X] I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• [X] I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• [X] I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• [X] I am not using uBlock Origin (uBO) along with other content blocker extensions.
• [X] I have verified that the web browser's built-in blocker or DNS blocking (standalone or through a VPN) is not causing the issue.
• [ ] I did not answer truthfully to ALL the above checkpoints.

URL(s) where the issue occurs.

office.com tasks.office.com (and many more)

Description

I stumbled upon a requests to /apc/trans.gif which returned a 1x1 pixel gif. The request had parameter add so were definitely used for tracking.

Multiple domain were pinged with the same path. When I searched for footprintdns.com I found this thread linking to a blog post. According to the blog post blocking the request should have a notable impact on the end user.

I would recommend blocking the /apc/trans.gif path for all domains and maybe collect some of the domains that it is send to and block these domain completely.

The scripts that send the footprint request could may be blocked too. Haven't tested that though. Here is the script doing the request for tasks.office.com at least: https://r4.res.office365.com/footprint/v3.2/scripts/fp-min.js

Edit: Note that the requests only seem to occur when you are logged in!

Other extensions used

darkreader (disabled for the website) libredirect

Screenshot(s)

No response

Configuration

Details

```yaml uBlock Origin: 1.54.0 Firefox: 120 filterset (summary): network: 167695 cosmetic: 44247 scriptlet: 19984 html: 1130 listset (total-discarded, last-updated): added: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt: 2508-1, 2h.7m https://codeberg.org/Sertonix/filterlist/raw/branch/main/filterlist.txt: 30-0, 2d.24m adguard-spyware-url: 1351-200, 3d.15h.37m adguard-spyware: 76742-16910, 3d.15h.37m default: user-filters: 2-0, never ublock-filters: 36850-71, 2h.7m ublock-badware: 7615-11, 2h.7m ublock-privacy: 933-52, 2h.7m ublock-unbreak: 2209-1, 2h.7m ublock-quick-fixes: 92-2, 2h.7m easylist: 75554-717, 2h.7m easyprivacy: 33127-804, 2h.7m urlhaus-1: 11195-0, 2h.7m plowe-0: 3777-1, 2d.19h.35m filterset (user): [array of 2 redacted] trustedset: added: [array of 1 redacted] switchRuleset: added: [array of 20 redacted] hostRuleset: added: [array of 14 redacted] userSettings: advancedUserEnabled: true hiddenSettings: [none] supportStats: allReadyAfter: 312 ms (selfie) maxAssetCacheWait: 195 ms ```

[mapx-]

*/footprint/*/scripts/fp-min.js$script,domain=office.com

@ryanbr @Alex-302

[sertonix]

||r4.res.office365.com/footprint/v3.2/scripts/fp-min.js$script,domain=office.com

I read that it is also used by sharepoint (and maybe others) which have different domains. EasyPrivacy uses domain=forms.microsoft.com|office.com|sharepoint.com|teams.microsoft.com on one entry so that might be better.

Maybe replace the version with * so it will keep working after an update: ||r4.res.office365.com/footprint/v*/scripts/fp-min.js$script,domain=office.com

I am not sure about the r4.res.office365.com domain. Especially the r4 seems like it could selected depending on reagion/server load.

[Alex-302]

I can't login and check. But we block ||footprintdns.com^$third-party also in DNS. Also I see fp.measure.office.com in this script.

[mapx-]

@Alex-302

[sertonix]

I can also find /apc/trans.gif requests to outlook.live.com *.fp.measure.office.com, *.res.office365.com, *-ring.msedge.net, outlook.office365.com

[sertonix]

And just confirmed that the same script runs on *.sharepoint.com

[sertonix]

I got the footprintdns from the script:

                  if ( - 1 === l.indexOf('.')) m += '.clo.footprintdns.com';
                   else if ('*' === l.charAt(0)) {
                    var g = l.substring(2);
                    m = n + c + '.' + g,
                    l = 'clo.footprintdns.com' === g ||
                    'fp.measure.office.com' === g ||
                    'azr.footprintdns.com' === g ? c : g

[sertonix]

Oh, that is nice, they made a list for us: https://r4.res.office365.com/footprint/v3.2/scripts/fpconfig.json

Edit: 3 more lists:

• https://config.fp.measure.office.com/conf/v2/o365se/fpconfig.min.json
• https://www.atmrum.net/conf/v1/atm/fpconfig.min.json
• https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw (It only loads sometimes)

[Alex-302]

@Sertonix All good when you block it?

[sertonix]

This should disable block all known requests:

! FootprintDNS
||*.res.office365.com/footprint/v*/scripts/fp-min.js$script
||*.res.office365.com/footprint/v*/scripts/fpconfig.json$script
||www.atmrum.net/rum.js$script
||www.atmrum.net/client/v*/atm/fpv*.min.js$script
||www.atmrum.net/conf/v*/atm/fpconfig.min.json$script
||config.fp.measure.office.com/conf/v*/*/fpconfig.min.json$script
||fp.msedge.net/conf/v*/asgw/fpconfig.min.json?monitorId=asgw$script

I would recommend also adding these to protect against changes/unknown uses of the footprint script:

/apc/trans.gif
/apc/r.gif
||www.atmrum.net/report/v*/atm/r.gif
||fp.msedge.net/r.gif
||odinvzc.azureedge.net/apc/trans.gif

[sertonix]

@Alex-302 all good for office related domains. atmrum.net I found in the blog post I linked so added it too.

[sertonix]

I found another fpconfig file but couldn't find the corresponding script. Added it to my list above.