Is there any admin setting to enable Do Not Track for Twitter embeds? (Or does Twitter no longer respect dnt?)

[DanYork]

This is a follow-up to #41784.

Question - is there any admin setting I need to change to have the blocking in #41784 take effect? Or should it just be happening automatically for all oEmbed providers?

On my WP 4.9.5 sites, every time I drop the URL for a tweet into the editor, I get the nice embedded view - but I also wind up with two trackers from Twitter on my site.

Ticket #41784 seems like it should have passed along the "dnt" query parameter, which should have indicated to Twitter that I did not want the trackers. So my guess at this point is that either:

1. There is a setting somewhere to enable this that I have not turned on; or

2. Twitter is no longer respecting the (voluntary) "dnt" parameter.

Any insight would be greatly appreciated. Thanks!

[swissspidy]

Yeah the dnt parameter should be added to all embeds automatically since [41345].

There's no admin page or any setting you need to change.

Opening ​https://publish.twitter.com/oembed?url=https://twitter.com/swissspidy/status/991317230486016001&dnt=true should return the oEmbed result data where the actual HTML looks like <blockquote class="twitter-tweet" data-dnt="true". So that is what WordPress is printing on the page. Can you confirm that you see data-dnt in the source code when embedding a tweet?

Worth noting Twitter's description of the dnt parameter:

When set to true, the Tweet and its embedded page on your site are not used for purposes that include personalized suggestions and personalized ads.

So it's still possible that Twitter loads some scripts, just that it doesn't do anything with the data. Plus, you might have some other Twitter scripts on your site, e.g. a tweet or follow button.

[DanYork]

@swissspidy - Ah, thanks for the info. Here is an example on a test site where I dropped in a Twitter URL:

​http://danyork.org/2018/05/02/test-with-an-embedded-tweet/

When I look at the source code for that page, I do indeed see the dnt parameter:

<figure class="wp-block-embed is-type-rich is-provider-twitter">
    <blockquote class="twitter-tweet" data-width="525" data-dnt="true"><p lang="en" dir="ltr">That moment when you take a long, deep breath before opening your work email and Slack after being completely offline for a week&#8230;&#8230;&#8230;&#8230;&#8230;</p>&mdash; Dan York (@danyork) <a href="https://twitter.com/danyork/status/990917186461093889?ref_src=twsrc%5Etfw">April 30, 2018</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</figure>

However, when I look at Privacy Badger for that page, I do see both:

• platform.twitter.com
• syndication.twitter.com

as trackers.

Screenshot:

Presumably this is coming in from this part of the code:

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

So my question is answered, in that the "dnt" parameter *IS* being correctly added.

However, in the case of Twitter they seem to be continuing to add trackers to my pages, even though they may or may not be doing anything with the data. Or they may be using the data for their own purposes, but as they say, not for "personalized suggestions and personalized ads".