Piwik fallback img tracking is only served as plain HTTP

Question

Piwik fallback img tracking is only served as plain HTTP

EvaSDK opened this issue 8 years ago · comments

Gilles Dartiguelongue commented 8 years ago

In the noscript case, the tracking img is served as HTTP only:
https://github.com/jcassee/django-analytical/blob/master/analytical/templatetags/piwik.py#L37

However, if the site is served through HTTPS, this might trigger security warnings.

As a side note, since this is a templatetag, this could use request context to detect scheme and not rely on javascript to switch between HTTP and HTTPS.

If this makes sense to you, I'll provide a patch.

Gilles Dartiguelongue commented 8 years ago

Thanks.

Joost Cassee · Answer 1 · Fri Jul 15 2016 16:57:20 GMT+0800 (China Standard Time)

Good point. Most snippets just remove the scheme from the URL (src="//%(url)s/piwik.php?idsite=%(siteid)s"). Not all template contexts include the request, right?

Gilles Dartiguelongue · Answer 2 · Fri Jul 15 2016 19:36:58 GMT+0800 (China Standard Time)

All TemplateView or View's inheriting TemplateResponseMixin as long as response_class is not overridden will have request in their context. See https://github.com/django/django/blob/master/django/template/response.py#L143. However if // achieves the same, that's good enough for me.

Peter Bittner · Answer 3 · Fri Jul 15 2016 19:59:30 GMT+0800 (China Standard Time)

Note that the protocol depends on whether the server supports it. Since Piwik is probably self-hosted in most cases we can't rely on HTTPS to be available. We should mention this detail in the documentation.

Garrett Robinson · Answer 4 · Sat Dec 10 2016 07:15:28 GMT+0800 (China Standard Time)

Wouldn't it make more sense to specify the scheme in PIWIK_DOMAIN_PATH? A lot of the code in analytical/templatetags/piwik.py seems to assume that the scheme of the server where the Piwik tracking code is being injected and the Piwik server itself are the same, but that is not a valid assumption.

For backwards compatibility, it would probably best to simply allow the scheme to be specified in PIWIK_DOMAIN_PATH (currently not allowed), and fallback to using http:// if it is not specified. This is less safe from a security perspective, but safer from a backwards compatibility perspective.

@jcassee If this approach sounds viable, let me know and I'd be happy to file a pull request.

Peter Bittner · Answer 5 · Mon Dec 12 2016 15:12:34 GMT+0800 (China Standard Time)

Yes, that's definitely possible. There are two things that come into my mind, though, with your proposal:

Better fall back to something generic, i.e. // instead of http:// (as proposed by Joost above)
When we have a complete URL then PIWIK_DOMAIN_PATH is the wrong name for the property; it should be named PIWIK_URL. In other words, add a new property and deprecate the old one.

Peter Bittner · Answer 6 · Sat Jan 21 2017 21:25:58 GMT+0800 (China Standard Time)

Thank you @garrettr and @EvaSDK!