The team works hard to minimize website side effects. Sometimes leaks are unavoidable or are included by design. These Wisdom side effects are documented here.
In just about every case, all Wisdom resources have been prefixed with
__WISDOM. For certain enterprise partners, an additional vendor identifier can be appended to the namespace. For example, a vendor named ACME could utilize the
__WISDOM__ACME namespace. For resources hosted on scripts.getwisdom.io, a “/namespace/ACME/” vendor directory exists. There are only a few exceptions where vendor identifiers are not used.
Exposed Wisdom Variables: The following variables are intentionally exposed by wisdom, and are customizable.
Polyfills: The following variable leaks are expected to be removed in the future.
Elements & IDs
All HTML Nodes have the property
Further, two Elements may be created by the Wisdom service depending on tracking configurations:
Wisdom primarily utilizes Local Storage for keeping a few UUIDs.
|Storage Engine||Side Effect or Variable Leak||Description|
|Fallback system to calculate the browser's zoom level.|
|To analyze content navigation paths|
Content Security Policies
In sending recorded data to the Wisdom servers, certain content security policies (CSPs) must be amended.
content-security-policy:script-src: https://script.getwisdom.io/connect-src:wss://producer.getwisdom.io/https://producer.getwisdom.io/https://cobrowse.getwisdom.io/wss://cobrowse.getwisdom.io/worker-src: https://script.getwisdom.io/
3rd Party Identity Module
content-security-policy:frame-src: https://wisdom-identity-exchange.com/child-src: https://wisdom-identity-exchange.com/
The following modules when enabled will require CSPs to be amended. See further below for details.
CHROME EXTENSION DETECTION
- Although child-src is deprecated and replaced with frame-src, for enhanced compatibility it is included.
- Web workers are not yet supported, but for future proofing is included.
The 3RD PARTY IDENTITY MODULE sends one post message from the
wisdom-identity-exchange.com/ origin containing the visitor’s identityId, if available.
The posted message data includes the property field
Note that this property does not support a vendor identifier.
AccountID is also specified in the event data.
Proxies the “console” object using a simple function wrapper.
Error Source Type
Proxies window.addEventListener & window.removeEventListener to add a named dummy function in order to record the event listener type into the handler’s stack trace. When an error occurs, it is possible to determine what event source triggered the error.
The dummy function name for example would be:
HTTP POST to
https://www.googleapis.com/geolocation/v1/geolocate to use Google’s IP address geolocation system.
This client side query may deprecate soon due to Wisdom’s own IP geolocation system
determining the visitor’s country already for regulatory compliance reasons.
Chrome Extension Detection
This feature loads around 150 of some of the more common Chrome Extensions that have publicly accessible resources.
Sends HTTP HEAD requests to
NOTE: Content Security Policies will need to include
Replay Side Leaks:
Note that the tagname has set the XML namespace to WISDOM. Example:
Checking Global Variable leaks yourself
Here is a quick JS snippet to check which variables are leaked globally to help ensure Wisdom is free from naming conflicts.