"umatrix" is terrific at exposing this kind of mischief, immediately upon your loading a new page -- as long as the logger has not been integrated into the main site's scripting.

Who'd have thought running arbitrary code from random websites was a bad idea?

Blocking all scripts (at least by default) is the only solution.

True. The problem is that websites like Walgreen, which simply break with no JS, are only getting more common. I'd like to make a point of simply closing the tab in such cases, but it's not always possible.

uBlock Origin and Ghostery deal with these kinds of trackers. Makes the internet a lot quieter.

Whats a js library that would do this? Would love to put a demo up on my website to show the user.

I did this in like 2005. I don't recall it taking more than an hour. For simple sites, probably faster to just implement it than find a library and read the docs.

Collection is easy. Just capture every key even and read the location of the the mouse in a sufficiently tight loop. Timestamp everything, bunch it and send it to the server on a regular interval. You can do it in 10ish lines of JavaScript.

Playback is the hard part, depending on your infrastructure. But if your site is simple enough you don't even need a library; just load up the page the user was on and play back the data.

I'd be surprised if there isn't already a Dropbox company out there going the final 20% on this "just rsync it" comment though.

FullStory, LogRocket, HotJar and Mouseflow all fit the bill, the search term of choice appears to be "session replay".

Funny, now "session replay" refers to both a privacy vulnerability and a security vulnerability.

> For simple sites, probably faster to just implement it than find a library and read the docs.

Not really - the implementation flow for tools that do this sort of thing are typically:

1. Register account 2. Dump JS snippet into page 3. Start watching live user sessions