Goals Firing on Ajax Confirmation Pages - javascript

I am trying to track goals firing using Google Analytics, and I am running into issues with tracking actual confirmation pages that are AJAX calls. The confirmation page isn't a URL exactly, but a .php file which is loaded in AJAX. I can't figure out for the life of me why goals aren't able to fire using an AJAX call, but I can easily track a URL.
Here is all the information I have regarding the goals, including the goals, and actual code and the landing page itself (https://docs.google.com/document/pub?id=1uUjX5wWOpy9w85fpocIz32gMIWvZSQzSG8WCBDSq4DA).

So, the URL that Google Analytics tracks is, by default, determined by what the browser detects (specifically, location.pathname+location.search). So, the filename of the php file that is loaded via AJAX is not relevant to Google Analytics, since by default, your trackPageview call will just send the URL that the browser shows (without the domain or anchor values).
Google Analytics allows you to pass a custom URL as the path, as the second parameter of trackPageview.
So, in your confirmation page, you need to switch the _gaq.push(['_trackPageview']); to be
_gaq.push(['_trackPageview', '/ed-JUNE-confirm']);
Now, there are other things that are confusing (for example, the multiple plain pageview calls on the same page), but, fundamentally, to 'trigger' the goal you need to send a pageview that has a head-match for your Goal URL, and use these virtual pageviews to accomplish it.

Related

Adobe Analytics DTM - Prevent initial server call on specific pages/subdomains?

I'm using Adobe DTM. What I'm trying to figure out is the best way to prevent the initial page load server call from going out on specific pages. The reason is, many parts of our website are 3rd party integrations separated by subdomains. Some of these 3rd party sites are Single Page Applications (SPA). Since most of our site is not a SPA, I need to figure out how to stop the initial server call when I hit one of these subdomains? The vendor is updating the s.pageName variable mapping on their end so I need to prevent the initial call from firing or I'll get two calls initially. I have a data element and event-based rule set-up to detect a change in the page name. I just need to stop it the first time.
Thanks!
In DTM, to prevent that default beacon on page load, you need to put a "return false" statement for those urls somewhere in your Adobe tool code. http://www.digitaldatatactics.com/examples/DCRsuppress.html has an example.

Collecting user stats/logs on third party sites with javascript

I want to collect statistic (views/clicks/browser info/etc.) for my javascript widget which installed on third party web-sites and after that provide analytics for each domain owner (such as: on my web site I will create interface in which domain's owner could login and see stats for his domain).
I assume that I need to integrate tracking pixel in my widget. And after that parse all request for that pixels.
I've got several question about architecture and implementation of stats/log collection:
When using tracking pixel do I need to add all stats as GET parameters? for example when browser loads my js-widgwt I could get all parameters in widget's javascript and after that make ajax request:
my-stats-domai.com/?widget_id=1&domain=example.com&browser=chrome&city=London&type=view....
or there is another way to get/send all parameters?
What is the easiest/fastest way to collect all users info (browser info, referer, url, get params, etc.)? Maybe there is common approach, logs format or specification for users/visitors log?
When tracking user clicks (or other actions) I assume that I need to use ajax request from onclick?
When using onclick do I need to append all browser info, refferer, etc. to url as GET parameters?
Is there any javascript/jquery plugin that could help me collect user stats on third-party sites? And maybe there is any open source php log-parser for my backend to send logs to datastore (mysql).
Maybe I should use piwik or other tracking systems, but I think that it will be kinda overhead. What is pros/cons of using piwik (or smth. else) for my task?
P.S. If there some useful reading about this theme please share a link.
try using microsoft clarity. They have small screen recordings of the widget and you can view errors, clicks, sites, backlinks and more

Security in embedded iframe/javascript widget

I'm building a website that is functionally similar to Google Analytics. I'm not doing analytics, but I am trying to provide either a single line of javascript or a single line iframe that will add functionality to other websites.
Specifically, the embedded content will be a button that will popup a new window and allow the user to perform some actions. Eventually the user will finish and the window will close, at which point the button will update to a new element reflecting that the user completed the flow.
The popup window will load content from my site, but my question pertains to the embedded line of javascript (or the iframe). What's the best practice way of doing this? Google analytics and optimizely use javascript to modify the host page. Obviously an iFrame would work too.
The security concern I have is that someone will copy the embed code from one site and put it on another. Each page/site combination that implements my script/iframe is going to have a unique ID that the site's developers will generate from an authenticated account on my site. I then supply them with the appropriate embed code.
My first thought was to just use an iframe that loads a page off my site with url parameters specific to the page/site combo. If I go that route, is there a way to determine that the page is only loaded from an iframe embedded on a particular domain or url prefix? Could something similar be accomplished with javascript?
I read this post which was very helpful, but my use case is a bit different since I'm actually going to pop up content for users to interact with. The concern is that an enemy of the site hosting my embed will deceptively lure their own users to use the widget. These users will believe they are interacting with my site on behalf of the enemy site but actually be interacting on behalf of the friendly site.
If you want to keep it as a simple, client-side only widget, the simple answer is you can't do it exactly like you describe.
The two solutions that come to mind for this are as follows, the first being a compromise but simple and the second being a bit more involved (for both you and users of your widget).
Referer Check
You could validate the referer HTTP header to check that the domain matches the one expected for the particular Site ID, but keep in mind that not all browsers will send this (and most will not if the referring page is HTTPS) and that some browser privacy plugins can be configured to withhold it, in which case your widget would not work or you would need an extra, clunky, step in the user experience.
Website www.foo.com embeds your widget using say an embedded script <script src="//example.com/widget.js?siteId=1234&pageId=456"></script>
Your widget uses server side code to generate the .js file dynamically (e.g. the request for the .js file could follow a rewrite rule on your server to map to a PHP / ASPX).
The server side code checks the referer HTTP header to see if it matches the expected value in your database.
On match the widget runs as normal.
On mismatch, or if the referer is blank/missing, the widget will still run, but there will be an extra step that asks the user to confirm that they have accessed the widget from www.foo.com
In order for the confirmation to be safe from clickjacking, you must open the confirmation step in a popup window.
Server Check
Could be a bit over engineered for your purposes and runs the risk of becoming too complicated for clients who wish to embed your widget - you decide.
Website www.foo.com wants to embed your widget for the current page request it is receiving from a user.
The www.foo.com server makes an API request (passing a secret key) to an API you host, requesting a one time key for Page ID 456.
Your API validates the secret key, generates a secure one time key and passes back a value whilst recording the request in the database.
www.foo.com embeds the script as follows <script src="//example.com/widget.js?siteId=1234&oneTimeKey=231231232132197"></script>
Your widget uses server side code to generate the js file dynamically (e.g. the .js could follow a rewrite rule on your server to map to a PHP / ASPX).
The server side code checks the oneTimeKey and siteId combination to check it is valid, and if so generates the widget code and deletes the database record.
If the user reloads the page the above steps would be repeated and a new one time key would be generated. This would guard against evil.com from page scraping the embed code and parameters.
The response here is very thorough and provides lots of great information and ideas. I solved this problem by validating X-Frame-Options headers on the server-side , though the support for those is incomplete in browsers and possibly spoofable.

Button clicks count as pageviews

My client has a single page website and want each click on the main menu for a site area count as a pageview in Google Analytics. Is this possible? I advised him to use events.
Yes, call _trackPageview in JavaScript.
_trackPageview()
_trackPageview(opt_pageURL)
Main logic for GATC (Google Analytic Tracker Code). If linker functionalities are enabled, it attempts to extract cookie values from the URL. Otherwise, it tries to extract cookie values from document.cookie. It also updates or creates cookies as necessary, then writes them back to the document object. Gathers all the appropriate metrics to send to the UCFE (Urchin Collector Front-end).
Async Snippet (recommended)
https://developers.google.com/analytics/devguides/collection/gajs/methods/gaJSApiBasicConfiguration#_gat.GA_Tracker_._trackPageview

Change all links on a page to point to login with Spring MVC

This is more of a discussion, rather than a real question...
I'm building a site and I am struggling with how to force a user to login to the site to access certain areas and take certain actions. I'm using spring security and have it integrated fairly well, however, I also have some AJAX calls that need to be secured and when Spring Security intercepts my calls it attempts to send back the HTML for login page to my AJAX callback which doesn't do me any good.
In passed applications, when I was using Struts, I was able to override the html:link tag and check login in the tag and rewrite the href to point to my login page (instead of my ajax script), however, I'm using Spring MVC and I don't have that luxury (if you can call it one).
I'm playing with some ideas such as:
Iterating through all my links on the page and rewriting the href of the links that have a certain class if the user is not logged in
Create a custom tag from scratch
Ditch the fancy AJAX stuff
It looks like other sites, such as, DZONE and Digg do something similar; so I know it's possible.
I'm looking for any ideas at this point, just something fresh to try, other than the three options above. Of the three, I think I'm leaning more towards #1.
If I understand your question correctly, you are asking how you can get around your secured AJAX requests returning redirects to your login page (or the login page itself) to your AJAX handler?
I would organise your application so that calls to secured AJAX request are only done from pages that are secured themselves. That way all requests that you initiate (from your own pages) are guaranteed to work and any requests that come from somewhere else (potentially malicious ones) from AJAX or normal page requests will be redirected to the login page.

Categories

Resources