@noidme/drift
v0.1.0-beta.0
Published
Tracker drift + CNAME-cloaking detection. Flags new tracker hosts appearing in production and third-party trackers hidden behind a first-party subdomain via CNAME cloaking, using an embedded public-suffix list to resolve the effective registrable domain.
Downloads
130
Maintainers
Readme
@noidme/drift
Zero-dependency tracker-drift and CNAME-cloaking detection for consent enforcement.
Trackers evolve — new hosts appear in production, and CNAME cloaking hides a third-party
tracker behind a first-party subdomain (analytics.shop.com → CNAME → tracker.com) to dodge
host-based rules. This module flags both, resolving the effective registrable domain with
an embedded public-suffix table so multi-label suffixes (co.uk, blogspot.com) are handled
correctly.
Extracted from noidme.js; usable standalone.
Install
npm i @noidme/driftUsage
Watch for drift
import { DriftMonitor } from '@noidme/drift';
const monitor = new DriftMonitor({
windowSize: 200, // rolling window of decisions
unknownRateThreshold: 0.3, // alert when >30% of the window hit unknown flows
warmup: 20, // ignore the first N decisions
onAlert: (a) => report(a), // { reason: 'new-host' | 'unknown-spike', detail, rate? }
});
// on every enforcement decision:
monitor.record(host, knownToPolicy);record(host, known) fires onAlert with reason: 'new-host' the first time a host appears
as unknown (after warmup — so a host that later flips from known to unknown still alerts),
and reason: 'unknown-spike' when the unknown-flow rate crosses the threshold. The spike alert
is edge-triggered: it fires once on the below→above transition and re-arms on recovery, so a
sustained spike won't flood your reporting endpoint. The seen-set is capped (seenCap, default
5000); on overflow the whole set is cleared, which re-alerts previously-seen hosts once.
Un-cloak a CNAME chain
The DNS resolution that reveals a chain happens at scan time on the edge; this is the SDK-side
classification given that chain. The chain is the ordered CNAME hops with the resolved target
last; effectiveHost reads the last entry.
import { effectiveHost, isCloaked, registrableDomain } from '@noidme/drift';
effectiveHost(['analytics.shop.com', 'tracker.com']); // 'tracker.com'
isCloaked('analytics.shop.com', ['analytics.shop.com', 'tracker.com']); // true
isCloaked('cdn.bbc.co.uk', ['cdn.bbc.co.uk', 'bbc.co.uk']); // false (same registrable domain)
registrableDomain('cdn.bbc.co.uk'); // 'bbc.co.uk'Best-effort negatives. eTLD+1 is resolved from a curated public-suffix table (common ccTLD 2LDs + multi-tenant hosting suffixes like
herokuapp.com/myshopify.com), not the full PSL. AtruefromisCloakedis reliable; afalsefor a suffix outside the table falls back to last-two-labels and may under-report. Degenerate/empty inputs returnfalse.
API
class DriftMonitor—new DriftMonitor(opts?),record(host, known),unknownRate().effectiveHost(chain: string[]): string— the real destination at the end of a CNAME chain.isCloaked(requestHost: string, chain: string[]): boolean— true ifrequestHostresolves to a different registrable domain than it appears to be.registrableDomain(host: string): string— eTLD+1 via the embedded public-suffix table.isKnownPublicSuffix(suffix: string): boolean.
License
MIT
