My understanding of cross-domain restrictions is that you can't verify which domain is loading your content using javascript or iframes. How, then, does Google know what ining data is ing from users accessing the real domain? If someone uses my GA embed code on a different site, how does google know the difference?
My understanding of cross-domain restrictions is that you can't verify which domain is loading your content using javascript or iframes. How, then, does Google know what ining data is ing from users accessing the real domain? If someone uses my GA embed code on a different site, how does google know the difference?
Share Improve this question asked Jan 17, 2012 at 18:23 CitizenCitizen 12.9k27 gold badges79 silver badges119 bronze badges 2- 1 because when your GA code is slapped into some other site's markup, when that site is visited by a user, Google's servers will see the user request the GA .js tracking code with a referer pointing back at that other site. – Marc B Commented Jan 17, 2012 at 18:28
-
My wild, unverified assumption is that it sends the value of
window.location(or one of its properties) along with the rest of the data it collects. – Ryan Kinal Commented Jan 17, 2012 at 18:28
3 Answers
Reset to default 12Google Analytics, in its default behavior, does not differentiate or validate the source of the data.
If someone were to maliciously put your GA account ID on their site, you'd get their data transmitted back to your account as if you'd put it on your site yourself.
However, by default, ga.js will append a hostname, from location.hostname, to the tracking data and have it available as a dimension. So, any traffic sent from foreign hostnames could be tracked, managed and segmented out.
If this bees an issue, you could configure a Google Analytics filter to either exclude traffic from specific malicious domains, or include traffic to your specific domains.
This is very rarely an issue that es up for people.
The GA JavaScript (and any other JS you embed on your page) has access to the location object which contains the full url, domain, etc.
Cross-domain tracking is required anytime you want to track GA in a single session across multiple domains that you control. If you do not use or have it configured wrong, you will have meaningless data and will also have a shortage of assignments for their point of conversion. Google Analytics uses first-party cookies that are attached to the visitor's browser.
Those cookies contain data about when the visitor last visited the site, what page it was, and a variety of other data. When the user clicks between pages or es back at a later date, the ga.js javascript looks for the existence of that first party cookie. If it doesn't find a cookie, then it views that visitor as a brand new visitor (that has NEVER been to your site). First party cookies are great, but for security reasons, they do not transfer between domains. The first party cookie is linked directly to the domain that set it and will not be accessible by any other domain.
If you want to get data from a domain specific, you can create a filter hostname, the type of insertion. That is, only receiving data exclusive to this domain
Using the old version of Google Analytics, clicking on the visitors > Network Settings > Hostname you can see the information of
domains that are sending data to you.