Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does google analytics avoid same origin policy?

Tags:

javascript

php

same-origin-policy

google-analytics

I had an idea for a project involving a Javascript terminal utilising a specified PHP script as a server to carry out remote functions. I understand that the same origin policy would be an obstacle with such a project, but looking at google analytics, which I use every day, it seems they have a way of avoiding the problem on a huge scale.

like image 455
Lee Avatar asked Dec 01 '12 13:12

Lee

People also ask

Which are techniques used to bypass the same-origin policy SOP )?

JSONP is another technique that works around SOP. It allows the sender to send JSON data within a callback function that gets evaluated as JS. Then a script located at a different origin can read the JSON data by processing the function.

What is same-origin policy how you can avoid same-origin policy?

The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.

What would happen if there is no same-origin policy?

A Dangerous World For example, without the same-origin policy, any website could make a request to your bank to transfer money, and the bank would not be able to tell the difference between that request and the one coming from its own website.

2 Answers

Google Analytics, Google AdWords and practically all other analytics/web-marketing platforms use <img> tags.

They load their JS programs, those programs handle whatever tracking you put on the page, then they create an image and set the source of the image to be equal to whatever their server's domain is, plus add all of your tracking information to the query string.

The crux is that it doesn't matter how it gets there:
the server is only concerned about the data which is inside of the URL being called, and the client is only concerned about making a call to a specific URL, and not in getting any return value.
Thus, somebody chose <img> years and years ago, and companies have been using it ever since.

like image 72
Norguard Avatar answered Nov 02 '22 17:11

Norguard

The modern way to allow cross-domain requests is for the server to respond with the following header to any requests:

Access-Control-Allow-Origin: *

This allows requests from any hosts, or alternatively a specific host can be used instead of *. This is called Cross Origin Resource Sharing (CORS). Unfortunately it's not supported in older browsers, so you need hacks to work around the browser in that case (like a commenter said perhaps by requesting an image).

like image 37
AshleysBrain Avatar answered Nov 02 '22 17:11

AshleysBrain
Sign in to Comment

Related questions

difference between "php artisan config:cache" and "php artisan cache:clear" in Laravel
How to remove Deprecated Symfony\Component\Debug\DebugClassLoader?
PHP Framework with full jQuery integration? [closed]
How to get json_encode() to work with ISO-8859-1 (åäö)
Opensource Online IDE [closed]
php imagecopyresampled poor quality
Session hijacking and PHP
Secure User Image Upload Capabilities in PHP
PHP HTML image output
Is MVC + Service Layer common in zend or PHP?
Parse error: syntax error, unexpected T_STATIC [closed]
PHP array to postgres array
Calculate percentage increase between two decimal numbers
PHP Sorting nearest coordinates
Is there a PHP equivalent of "new Array (number)" in javascript?
mysqldump via PHP
Symfony2 - Doctrine - Is there any way to save entity in one line?
PHPExcel how to apply alignment for the whole document created from mysql table
Error 1148 MySQL The used command is not allowed with this MySQL version
Symfony2 - Removing the AcmeBundle demo results in a security provider error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!