Mobile app version of vmapp.org
Login or Join
Smith883

: How Google Analytics code performs cross site scripting? As we all probably know - browsers are not allowing us to perform any cross site scripting (for security reasons). However Google Analytics

@Smith883

Posted in: #GoogleAnalytics

As we all probably know - browsers are not allowing us to perform any cross site scripting (for security reasons).

However Google Analytics code should perform one in order to inform Google server about site visitor activity.

So somehow Google's code bypasses this browser limitation. But how?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Smith883

1 Comments

Sorted by latest first Latest Oldest Best

 

@Welton855

There are two things that play a part - first Google must be able to load additional tracking code, then it must be able to send information off to the Google Server.

The first part requires the Google Analytics snippet that you have to embed into your page. This code executes a header injection, i.e. it adds dynamically a script tag to the header of your page. This is per se not a security issue since you have inserted the necessary code yourself (however some people seem unaware that they have handed to keys to their website to Google). Since the script runs in the context of the page it can perform all kind of actions like setting and reading first party cookies.

The second part is where the Google Analytics code transmits data. The default method to send data across domain boundaries is to generate an image tag via javascript and append all data as url parameters. On the receiving end (i.e. the server that serves the image url) is a script that writes the received data (both from the image url parameters and from the http request) to a file or a database before it returns an (transparent 1x1) image. This works simply because requesting external ressources is the way the internet works - you cannot in toto block external ressources via browser settings because the web wouldn't work if you did, so this is a safe, low-tech option for data transmission.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme