New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking code could use HTTPS when the Piwik server is configured to force SSL connections #7366
Comments
Sure. This URL is missing the protocol to let the browser decide which
protocol to use, based on the website the tracking code is on.
That way the tracking pixel will always use the same protocol as the
tracked website.
|
For more information: https://en.wikipedia.org/wiki/Uniform_resource_locator#Protocol-relative_URLs |
Thanks for clarification! First it did not work on my site but now it interestingly does. |
See #7267 where we talked about a similar thing. We're getting this feedback quite often recently. 👍 for this |
I renamed issue in attempt to clarify the scope. I'm not 100% sure that we should make HTTPS tracking the default when |
I think it is more about what users expect. When I set a |
Also maybe interesting read The Protocol-relative URL technique is now an anti-pattern |
in the forums, a user expected |
Provide to separate options to |
As part of this issue we should also check this FAQ: This was reported in feedback:
|
See also: Google Analytics uses HSTS - maybe we could send this response header HSTS? https://www.owasp.org/index.php/HTTP_Strict_Transport_Security |
In my opinion this is quite important. As a result
HSTS would solve this (at least after the first request), but it also should work without it. |
@Findus23 I have just updated https://plugins.piwik.org/ForceSSL to also force SSL in generated tracking code. |
@tsteur That's great. Maybe also suggest enabling |
The plugin sets "force_ssl" automatically |
@tsteur, I am still not sure if adding this feature to a plugin that only few people will use, solves this issue. Because of this the majority of users will still send the private data of their users over unencrypted HTTP even though their Piwik-Server supports SSL and as a result they think "everything is secure" even though it isn't. (And I think the the use case of having piwik on a modern server with an SSL cert, but tracking an old legacy website, which only runs via HTTP, is quite common) It shouldn't matter how the website is delivered, the tracking data should always be sent via the most secure way possible. |
See #7366 (comment) it should be still forced in Piwik as well eventually IMO. |
@tsteur, what comment do you mean? The link just links to this issue. |
That's funny, link seems to not work. Meant my second comment. |
Solving this issue will actually solve real bugs, so increasing priority. |
This issue is only about changing |
In my opinion this change is required regarding GDPR as we can't protect user data data properly if we don't even know who read it before it hit the Matomo server. I would even go as far and send a reminder to users to update their old tracking codes. |
Dear all,
I just noted that the auto-generate javascript / image tracking code seems to be incomplete for the server URL. The following code is generated and misses the protocol information (e.g., "https:" or http:"
in front of the URL string (e..g, during the definition of "u").
Is there a reason for this?
The text was updated successfully, but these errors were encountered: