Cobalt continues connecting to the Plausible instance after analytics are disabled

[celenityy]

bug description

Despite enabling don't contribute to analytics under settings -> privacy, cobalt.tools continues connecting to https://a.imput.net/js/script.js. This functionality should be entirely disabled once analytics are disabled - users have no way to verify you're dropping it on the server side (which is what I suspect is happening here).

reproduction steps

1. On cobalt.tools, enable don't contribute to analytics under settings -> privacy.
2. Observe that connections are still made to https://a.imput.net/js/script.js - (I confirmed with uBlock Origin).

screenshots

No response

links

platform information

Phoenix (Firefox) 135.0.1

additional context

I love Cobalt, and I'd really like to include a.imput.net on my BadBlock Ethical Whitelist, as you otherwise perfectly meet the criteria, but this issue is unfortunately preventing me from doing so.

I'd also like to ask: Would you consider disabling these analytics automatically if Global Privacy Control is enabled?

[wukko]

hey! the script should stop making requests completely once it sees plausible_ignore in local storage, can you check if it’s present in your case? i’ll look into this soon cuz this obviously shouldn’t happen

[wukko]

it’s also supposed to log “ignoring event” in console: https://plausible.io/docs/excluding-localstorage

[wukko]

just figured out what you meant in the issue, the js script doesn't do any analytics by being loaded, it sends a separate fetch request to /api/event which is indeed not sent when plausible_ignore is present:

however, i could make it not load the script at all, though i don't see how it's beneficial

[wukko]

Would you consider disabling these analytics automatically if Global Privacy Control is enabled?

cobalt's plausible analytics are already private, it doesn't track anyone, just aggregated number of traffic, so i don't think it's really applicable here?

[celenityy]

Thanks for the quick response and clarification!

however, i could make it not load the script at all, though i don't see how it's beneficial

I think it'd be best not to load the script at all. If anything, it'd give users more peace of mind and not mislead them into thinking Cobalt is still sending analytics after disabling them in settings (even though it isn't). Also probably a good idea to not make unnecessary connections/load unnecessary scripts for bandwidth/resource consumption (I doubt this is making a meaningful impact there to be clear, but I think it's still a good rule of thumb). It'd also help reduce the load/unnecessary blocking for those using content blockers that block a.imput.net.

cobalt's plausible analytics are already private, it doesn't track anyone, just aggregated number of traffic, so i don't think it's really applicable here?

That's completely understandable. To be clear, I don't have any doubts that Cobalt is tracking users - and I believe you've gone above and beyond in protecting the privacy of users. I think my main reason for suggesting this was to allow users a way to easily opt out of analytics persistently without needing to save cookies, and I feel like you'd still get quality analytics (as the majority of browsers don't enable GPC by default). But this isn't a big deal as long as analytics are disabled when the plausible_ignore cookie is present (since users can use ex. uBlock Origin to automatically set this cookie).