Piwik fallback img tracking is only served as plain HTTP
EvaSDK opened this issue · comments
In the noscript
case, the tracking img is served as HTTP only:
https://github.com/jcassee/django-analytical/blob/master/analytical/templatetags/piwik.py#L37
However, if the site is served through HTTPS, this might trigger security warnings.
As a side note, since this is a templatetag
, this could use request context to detect scheme and not rely on javascript to switch between HTTP and HTTPS.
If this makes sense to you, I'll provide a patch.
Good point. Most snippets just remove the scheme from the URL (src="//%(url)s/piwik.php?idsite=%(siteid)s"
). Not all template contexts include the request, right?
All TemplateView
or View's inheriting TemplateResponseMixin
as long as response_class
is not overridden will have request in their context. See https://github.com/django/django/blob/master/django/template/response.py#L143. However if //
achieves the same, that's good enough for me.
Note that the protocol depends on whether the server supports it. Since Piwik is probably self-hosted in most cases we can't rely on HTTPS to be available. We should mention this detail in the documentation.
Wouldn't it make more sense to specify the scheme in PIWIK_DOMAIN_PATH
? A lot of the code in analytical/templatetags/piwik.py
seems to assume that the scheme of the server where the Piwik tracking code is being injected and the Piwik server itself are the same, but that is not a valid assumption.
For backwards compatibility, it would probably best to simply allow the scheme to be specified in PIWIK_DOMAIN_PATH
(currently not allowed), and fallback to using http://
if it is not specified. This is less safe from a security perspective, but safer from a backwards compatibility perspective.
@jcassee If this approach sounds viable, let me know and I'd be happy to file a pull request.
Yes, that's definitely possible. There are two things that come into my mind, though, with your proposal:
- Better fall back to something generic, i.e.
//
instead ofhttp://
(as proposed by Joost above) - When we have a complete URL then
PIWIK_DOMAIN_PATH
is the wrong name for the property; it should be namedPIWIK_URL
. In other words, add a new property and deprecate the old one.
Thanks.