Is it possible to understand on your site whether a person has visited a search engine (Yandex, Google, etc.)?

W

weranda2020-08-31 18:12:02

Search engines

weranda, 2020-08-31 18:12:02

Greetings.
Is it possible to understand by some indirect signs on your site whether the visitor was in the search engine, even if he came to the site not from the PS?
Are there any indirect signs? Is it possible to request something through JS in cookies, local storage or somewhere else, maybe some file or something else?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

K

Kirill, 2020-09-01
@kirill89

Stop me if I'm talking nonsense, but in theory you can use a side-channel attack.
For example, we know that yandex uses the script https://yastatic.net/jquery/2.1.4/jquery.min.js
Then we can change the download time for the non-cached version (Math.random() to make the URL unique and skip the cache):

console.time('no cache');
fetch('https://yastatic.net/jquery/2.1.4/jquery.min.js?' + Math.random())
.then(r => r.text())
.then(() => console.timeEnd('no cache'));

And then measure the download time for a direct link:

console.time('yandex');
fetch('https://yastatic.net/jquery/2.1.4/jquery.min.js')
.then(r => r.text())
.then(() => console.timeEnd('yandex'));

I got something like this:

The screen shows that the non-cached version is many times slower than the cached one. For obvious reasons, this will only work once. So logic is needed to not perform this check twice for the same user.

D

Dimonchik, 2020-08-31
@dimonchik2013

usually not,
only clickjacking from the application, perhaps
, but the referrer used to work, well, now it seems to work too

M

McBernar, 2020-08-31
@McBernar

No, you only have access to cookies and storage on the current domain. Otherwise it would be a giant security hole.
It’s not just that user data is sold to global grids, and any third-party service collects everything about the user that it can reach.