The Monoid Blog

Privacy, analytics, and the open web — written for developers.

RSS feed
6 min readEngineering & Performance

Timing-Allow-Origin: What Analytics Sees in the Resource Timing API

The Timing-Allow-Origin header controls how much cross-origin timing detail a page can read. Here is what it means for privacy-first performance measurement.

Read more
7 min readEngineering & Performance

Speculation Rules and Prerendering: What Analytics Gets Wrong About Prefetched Pages

Chrome's Speculation Rules API can render a page before a user ever clicks. Here's how it distorts naive analytics — and how cookieless, edge-based measurement stays honest.

Read more
4 min readEngineering & Performance

Your Analytics Script Is Probably Disabling the Back/Forward Cache

The back/forward cache makes back-button navigations near-instant, but one unload listener disables it for the whole page. Tracking scripts are the usual culprit — and CrUX now measures the damage.

Read more
4 min readLaw & Regulation

GDPR Data Transfers Are the One Compliance Risk You Can Architect Away

The EU-US Data Privacy Framework survived its first court challenge but is now on appeal to the CJEU. Analytics that never transfers EU data to the US has nothing to lose either way.

Read more
5 min readLaw & Regulation

The EDPB's 2026 Enforcement Target Is Your Privacy Notice

The EDPB's 2026 coordinated action audits transparency under GDPR Articles 12–14. The shortest path through it is collecting so little that the notice writes itself.

Read more
5 min readEngineering & Performance

Your Analytics Script Is the Hole in Your Content-Security-Policy

A strict CSP closes XSS. A third-party analytics tag reopens it. Here is why host allowlists and missing SRI undermine your policy — and what a first-party tracker fixes.

Read more
5 min readEngineering & Performance

Privacy by Default at the HTTP Layer: Headers That Shrink Your Tracking Surface

Two response headers — Permissions-Policy and Referrer-Policy — decide how much your pages can leak to ad-tech and third parties. Set them once and the surveillance surface closes by default.

Read more
4 min readEngineering & Performance

INP Punishes Heavy Analytics: Why Your Tracker Is on the Main Thread

Interaction to Next Paint is the Core Web Vital most sites fail, and field data shows behavior-tracking scripts are a leading cause. The fix is sending less work to the main thread.

Read more
4 min readLaw & Regulation

The Digital Omnibus Wants to Exempt First-Party Analytics From Consent

The EU's November 2025 Digital Omnibus proposes a consent exemption for first-party, internal-use audience measurement. It describes the model cookie-free analytics already runs.

Read more