My understanding of cross-domain restrictions is that you can't verify which domain is loading your content using javascript or iframes. How, then, does Google know what incoming data is coming from users accessing the real domain? If someone uses my GA embed code on a different site, how does google know the difference?
Google Analytics, in its default behavior, does not differentiate or validate the source of the data.
If someone were to maliciously put your GA account ID on their site, you'd get their data transmitted back to your account as if you'd put it on your site yourself.
However, by default, ga.js
will append a hostname, from location.hostname
, to the tracking data and have it available as a dimension. So, any traffic sent from foreign hostnames could be tracked, managed and segmented out.
If this becomes an issue, you could configure a Google Analytics filter to either exclude traffic from specific malicious domains, or include traffic to your specific domains.
This is very rarely an issue that comes up for people.
The GA JavaScript (and any other JS you embed on your page) has access to the location
object which contains the full url, domain, etc.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With