: How Google Analytics code performs cross site scripting? As we all probably know - browsers are not allowing us to perform any cross site scripting (for security reasons). However Google Analytics

@Welton855

There are two things that play a part - first Google must be able to load additional tracking code, then it must be able to send information off to the Google Server.

The first part requires the Google Analytics snippet that you have to embed into your page. This code executes a header injection, i.e. it adds dynamically a script tag to the header of your page. This is per se not a security issue since you have inserted the necessary code yourself (however some people seem unaware that they have handed to keys to their website to Google). Since the script runs in the context of the page it can perform all kind of actions like setting and reading first party cookies.

The second part is where the Google Analytics code transmits data. The default method to send data across domain boundaries is to generate an image tag via javascript and append all data as url parameters. On the receiving end (i.e. the server that serves the image url) is a script that writes the received data (both from the image url parameters and from the http request) to a file or a database before it returns an (transparent 1x1) image. This works simply because requesting external ressources is the way the internet works - you cannot in toto block external ressources via browser settings because the web wouldn't work if you did, so this is a safe, low-tech option for data transmission.

Vote Up Vote Down