
NHS's Covid-19 website includes advertiser tracking - known
https://markalanrichards.com/2020/05/15/covid19-app-website-includes-advertiser-tracking.html
======
jka
Although the article does include a video purporting to show this tracking
behaviour, is anyone able to reproduce it when visiting the NHS Covid-19
website without existing consent cookies for the NHS domain in their browser?

~~~
jka
Update: It looks like YouTube acts differently with regard to cookies,
depending on how the user's Do-Not-Track (DNT) header is set.

If the DNT header isn't present (likely the default for most users), then the
YouTube 'YSC' cookie is indeed set, and the author's issue is reproducible.

Since the DNT header didn't see much adoption[1], it's likely not a workable
solution to this privacy concern.

Assuming the correct behaviour is that the NHS site shouldn't set any third-
party cookies before user consent is provided, could anyone chime in with how
to resolve this?

Is there a way that the NHS could resolve this via server-side CSRF
configuration, or something similar? Or would it be necessary to only render
YouTube-related HTML content after consent is granted?

[1] -
[https://en.wikipedia.org/wiki/Do_Not_Track](https://en.wikipedia.org/wiki/Do_Not_Track)

~~~
jka
Update #2: The DNT header may have been a red herring, so I'm back to square
one and don't really know what the state of play here is after all.

