Closed
Bug 946697
Opened 11 years ago
Closed 11 years ago
Force TLS for analytics
Categories
(Websites :: Web Analytics, task)
Websites
Web Analytics
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sjw+bugzilla, Assigned: sjw+bugzilla)
Details
(Whiteboard: [kb=1389612][qa-])
I propose to remove the http support for web analytics.
E.g. Google-Analytics:
- ga.src = ('https:' == d.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+ ga.src = 'https://ssl.google-analytics.com/ga.js';
|
||
Comment 1•11 years ago
|
||
(In reply to sjw from comment #0)
> I propose to remove the http support for web analytics.
> E.g. Google-Analytics:
> - ga.src = ('https:' == d.location.protocol ? 'https://ssl' :
> 'http://www') + '.google-analytics.com/ga.js';
> + ga.src = 'https://ssl.google-analytics.com/ga.js';
Won't this cause mixed content issues on sites that cannot use https for whatever reason? For example, we cannot force https on mozilla.org because the CDNs that we use are not SSL-enabled and we have seen mixed content blocking stopping Firefox downloads. We are currently discussing the cost of SSL CDNs for Firefox downloads and thus we could force SSL on www.mozilla.org.
Mixed content is only a problem is a secure site has unsecured content. And if a client doesn't support TLS he can still see the site (doesn't support mozilla.org HSTS?), the only thing is we couldn't track him. But I think this scenario is very unrealistic and it wouldn't affect the statistic.
|
||
Comment 4•11 years ago
|
||
I believe the ga.js file needs to be served using the same protocol as the document it's used in (hence why Google don't just use https:// all the time anyway), so probably the most appropriate fix for this bug would be to switch www.mozilla.org over to using https by default.
I use the same practice for my http-only websites and I didn't notice any regression. So there is no reason to use http.
Of course, HSTS on all Mozilla sites would be the best solution.
|
|
||
Comment 6•11 years ago
|
||
Here is some interesting info on the protocol check that also has a lot of discussion around it:
http://mathiasbynens.be/notes/async-analytics-snippet#protocol-check
Seems the main reason is down to the way Google (apparently) segment IP pools and optimize the download speed of ga.js. It's also worth noting that the protocol check is no longer present in the new Universal Analytics snippet, which uses a protocol relative URL instead. We (may) be moving to that soon anyway.
So, unless I can find a piece of official Google Analytics documentation detailing that this change is in-fact OK, I'd be hesitant to make this change.
I'm cc'ing Gareth Cull who may know some more info here.
Flags: needinfo?(garethcull.bugs)
|
|
||
Comment 7•11 years ago
|
||
Gareth, this may be safe to do, but it would be good to get some info from someone at Google if possible? Thanks
|
||
Comment 8•11 years ago
|
||
https://github.com/mozilla/nocturnal/pull/26 depends on this.
A third pull is also affected: https://github.com/mozilla/mozillians/pull/961
But I'll wait now until this one is considered.
It would make sense to update the analytics script on every Mozilla site. Maybe we should move all of them to a place, where we can make global changes (See also bug 946705).
|
||
Comment 10•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/mozillians
https://github.com/mozilla/mozillians/commit/27ed9d2a47bf5740017f985317296d2ce649f73f
[bug 946697] Force HTTPS for analytics.
|
||
Comment 11•11 years ago
|
||
(In reply to sjw from comment #9)
> A third pull is also affected: https://github.com/mozilla/mozillians/pull/961
> But I'll wait now until this one is considered.
Mozillians is https only so we can, and we did, force https for google analytics.
|
|
||
Updated•11 years ago
|
Whiteboard: [kb=1389612]
|
|
||
Comment 12•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/remo
https://github.com/mozilla/remo/commit/9d628c427f21dc115eeb38723edf2bdae19e4200
[bug 946697] Force HTTPS for analytics.
|
||
Comment 13•11 years ago
|
||
Alex, we are hoping to upgrade to Universal Analytics in the near future. Let me talk with cmore about an updated timeline to upgrade our snippets to UA.
Flags: needinfo?(garethcull.bugs)
|
|
||
Comment 14•11 years ago
|
||
Ok, I'm going to leave this bug open but close the current PR.
We will either address this when we upgrade to Universal Analytics (Comment 13), or this bug will become obsolete when we switch to https by default on mozilla.org. Whichever happens first, we can then close this bug.
:swj thank you for the PR nonetheless!
Status: ASSIGNED → NEW
|
||
Updated•11 years ago
|
Whiteboard: [kb=1389612] → [kb=1389612][qa-]
|
|
||
Comment 15•11 years ago
|
||
Good news - mozilla.org now defaults to https, so we can mark this as resolved!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•