GitHub

GitHub

Primarily appears on developer-focused sites via embedded Gist snippets or GitHub Buttons. These embeds load scripts from GitHub's CDN that may set session cookies. GitHub's own analytics infrastructure fires when GitHub-hosted pages are visited but does not typically appear as a third-party tracker on external sites.

Back to Vendor Library

Overview

GitHub is the world's largest software development platform, owned by Microsoft. On third-party websites, GitHub appears through embedded Gist code snippets, GitHub Buttons (star/fork/follow widgets), GitHub Badges, and repository statistics widgets. These embeds load JavaScript directly from github.com or buttons.github.io, which in turn may set GitHub cookies in the visitor's browser and transmit data to GitHub/Microsoft servers.

What This Script Does

GitHub Gist Embeds

A Gist embed inserts a <script src="https://gist.github.com/{user}/{gist-id}.js"> tag. This script dynamically injects a styled <div> containing the Gist's code content. When the script loads, GitHub's servers receive the visitor's IP address, user-agent, and referrer, and any GitHub session cookies present in the browser are sent along with the request.

GitHub Buttons

The GitHub Buttons library (buttons.github.io/buttons.js) renders interactive star, fork, and follow count widgets. It loads an iframe from ghbtns.com that communicates with the GitHub API to display real-time repository statistics. The iframe context may read GitHub session cookies.

GitHub Stats Badges

Some sites embed GitHub stats images or dynamic SVG badges that make requests to github.com or third-party GitHub stat services. These are typically not JavaScript-based and set no cookies.

Cookies Set

GitHub does not set new tracking cookies via embeds on third-party sites, but if the visitor is logged into GitHub, the following cookies are sent with requests to github.com:

  • _gh_sess — Third-party session cookie on github.com. GitHub's session authentication cookie. Duration: session.
  • user_session — Third-party persistent cookie on github.com. Stores the persistent GitHub login session. Duration: 2 weeks.
  • dotcom_user — Third-party persistent cookie on github.com. Stores the current GitHub username. Duration: 1 year.
  • logged_in — Third-party persistent cookie on github.com. Boolean flag indicating whether the user is signed in. Duration: 1 year.
  • _octo — Third-party persistent cookie on github.com. GitHub's telemetry and analytics cookie. Duration: 1 year.

Domains Contacted

  • gist.github.com — Gist embed JavaScript served from here.
  • github.com — Repository data and API requests for button widgets.
  • ghbtns.com — GitHub Buttons iframe CDN.
  • buttons.github.io — GitHub Buttons JavaScript library.

Data Collected Per Interaction

  • Referrer URL (the page embedding the GitHub widget)
  • Visitor IP address
  • Browser user-agent and language
  • GitHub account identity if the visitor is logged into GitHub (GitHub session cookies are sent with every request to github.com)
  • Repository interaction events (star, fork, follow) if the user is authenticated and clicks a button widget

Consent & Compliance

GDPR / ePrivacy: GitHub Gist and Button embeds cause the visitor's browser to make requests to github.com, which transmits the visitor's IP address and any GitHub session cookies. Under GDPR, transmitting a logged-in user's GitHub identity to GitHub's servers — even as a side effect of loading an embedded widget — constitutes personal data processing by GitHub as a data controller. The German DSK and other EU DPAs have addressed the principle that third-party resource embeds which transmit personal data require a lawful basis. For embeds loaded on every page view, consent is typically required.

CCPA / CPRA: GitHub (Microsoft) may receive personal information (IP, GitHub identity) from visitors to third-party sites via Gist or Button embeds. Operators should disclose GitHub in their privacy policy if using these embeds.

EU-US Data Privacy Framework: GitHub/Microsoft is certified under the EU-US DPF. Microsoft's standard SCCs apply to GitHub data processing.

Consent Category: Functional. GitHub embeds serve a presentational purpose (displaying code, repository statistics) rather than advertising or behavioral profiling.

Should You Block This Without Consent?

No. GitHub embeds serve a functional purpose — displaying code snippets or repository statistics. They do not perform advertising profiling or behavioral tracking. While IP address and session data are transmitted to GitHub's servers, this is incidental to the functional embed rather than a tracking purpose. However, operators in strict EU compliance environments may wish to self-host Gist content or use static code blocks to avoid any third-party network requests to GitHub, particularly since logged-in GitHub users have their identity disclosed to GitHub on every embed load.

Visit website

Consent Categories

Functional

Also Known As

GitHub Gist embedGitHub buttonsgithub.com scriptbuttons.github.ioGist cookieGitHub embed privacy

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (53)

github.comEssential
buttons.github.ioEssential
mreq.github.ioEssential
kenwheeler.github.ioEssential
purecatamphetamine.github.ioEssential
fluorescent.github.ioEssential
googleads.github.ioEssential
hatscripts.github.ioEssential
hammerjs.github.ioEssential
mindmup.github.ioEssential
theajack.github.ioEssential
gitcdn.github.ioEssential
tufts-technology-services.github.ioEssential
servicesem.github.ioEssential
wet-boew.github.ioEssential
malsup.github.ioEssential
kodir2.github.ioEssential
vli-platform.github.ioEssential
touhidul002.github.ioEssential
twitter.github.ioEssential
s9e.github.ioEssential
owlcarousel2.github.ioEssential
ewwwin.github.ioEssential
frantisekfr.github.ioEssential
yubinbango.github.ioEssential
htmlxm.github.ioEssential
afarkas.github.ioEssential
malihu.github.ioEssential
kjur.github.ioEssential
highcharts.github.ioEssential
thurnix01.github.ioEssential
fbhs-outdoors-digital.github.ioEssential
verinice.github.ioEssential
liveperson-pmi.github.ioEssential
artemsedin74.github.ioEssential
atugatran.github.ioEssential
classroomjq.github.ioEssential
dialogintelligens.github.ioEssential
embl-communications.github.ioEssential
flutter.github.ioEssential
googlechromelabs.github.ioEssential
maputnik.github.ioEssential
phase2.github.ioEssential
selectize.github.ioEssential
ticketmaster-api-staging.github.ioEssential
traefik.github.ioEssential
viglesias.github.ioEssential
webrtc.github.ioEssential
everymundo.github.ioEssential
lfucg.github.ioEssential
blueedgetechno.github.ioEssential
retrobowlubg.github.ioEssential
necromanican.github.ioEssential

Frequently Asked Questions

Is consent required for GitHub Gist or Button embeds?

No, but with caveats. GitHub embeds serve a functional purpose — displaying code and repository stats. They do not perform advertising tracking. However, logged-in GitHub users have their identity disclosed to GitHub on every embed load, so strict EU environments may require consent.

What data does a GitHub embed transmit?

GitHub Gist and Button embeds send the visitor's IP address, user agent, referrer URL, and any GitHub session cookies (_gh_sess, user_session, _octo) to github.com. Logged-in users have their GitHub identity transmitted with every request to github.com or ghbtns.com.

How does ConsentStack categorize GitHub embeds?

ConsentStack classifies GitHub as functional. Gist and Button embeds are not blocked by default as they serve a presentational purpose without advertising profiling. Operators in strict EU compliance environments can optionally gate them on functional consent.

Related Vendors

Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.

Manage consent for GitHub

ConsentStack automatically detects and manages GitHub trackers so your site stays compliant with global privacy regulations.

Get started free