JavaScript tracker exclude query parameters #18031
Conversation
|
build js |
…to m-17887-exclude-query-params
There was a problem hiding this comment.
Have just been looking at this and I can't see existing excluded params from Administration > Websites > Manage appearing in the generated tracking code. Is there something I'm missing?
edit: I see, the API endpoint only pulls the global excluded query params, not those applicable to the specific website I was expecting.
|
If I see that correctly the Tracking Code Generator currently automatically adds a |
|
@sgiehl I don't see where it gets the excluded params for the website - looks like it only gets the global ones currently? |
|
@sgiehl not sure. I'm kind of thinking we wouldn't need to expose this to the tracker code generator UI at all as it's rarely needed maybe. I'm not sure if we should expose the global list of excluded URL parameters. Not sure if there could be any risk with this or not. I suppose it might not be. Generally, there is also the list of excluded parameters from the config @mattab what are your thoughts? The above logic implements that global excluded config parameter gets exposed in the tracking code generator. Say you have configured this: then it adds below code
Having the excludedParameters API parameter in the tracking code generator is 👍 but I would maybe not add any global excluded parameter by default. I would probably also not add a UI to enter extra parameters to exclude as it's simply needed so rarely. On the other side someone could argue when they copy/paste the tracking code they can still remove the line for removing URL parameters if they didn't want to expose this information but often users wouldn't even know what it is. Note that the global excluded parameters list supports REGEXP which I think the JS logic isn't. To have a bit more security by default I would exclude these parameters by default |
|
If we're not wanting to expose the excluded parameters in the generated tracking code then maybe we could hash the values when generating the tracking code and then have purify() check those hashes against the hashed value of the parameters? That way it wouldn't be possible for users to just read off a list of interesting parameters from the tracking code. |
|
I reckon with rainbow tables etc the original value could be often found out quite quickly. See internal slack we would for now go only with exposing the website specific excluded parameters. If someone needs to exclude parameters then they can still exclude them manually by adjusting the tracking code. |
|
Is there actually any need to include the server side excluded parameters into the tracking code? Imho we could simply not include them there at all. The server side exclusion will still work the same... |
|
@sgiehl we don't need it there. In the issue back then I mentioned we could do it. I reckon now that it's already it can be a good benefit that we show the site specific excluded parameters automatically. It's good for privacy and security to remove these already in the site. |
|
build js |
bx80
added
the
not-in-changelog
|
build js |
plugins/CoreAdminHome/angularjs/trackingcode/jstrackingcode.controller.js
Outdated
Show resolved
Hide resolved
|
It could make sense to also reflect those changes in the UI tests. We already have a test that shows the tracking code generator here: matomo/tests/UI/specs/UIIntegration_spec.js Lines 793 to 803 in 03dbff2 So maybe we could simply add some globally excluded site parameters, so they are displayed within the tests. Guess we could add that code somewhere around here: matomo/tests/PHPUnit/Fixtures/UITestFixture.php Lines 107 to 110 in 8c3f495 To ensure some "bad parameters" won't hurt, it might be good to use some xss parameters like: \Piwik\Plugins\SitesManager\API::getInstance()->setGlobalExcludedQueryParameters(implode(',', [
$this->xssTesting->forTwig('excludedParameter'),
$this->xssTesting->forAngular('excludedParameter'),
])); |
…ntroller.js Fix parallel API call issue Co-authored-by: Stefan Giehl <stefan@matomo.org>
|
Tried updating the remaining UI tests, but the artifacts upload is currently not working, so I'm not able to check if the failing tests are related. Once the related UI tests are fixed guess this should be ready to merge |
Description:
Fixes #11627
(This is a re-submission of PR 17887 to work around merge failure)
Adds a new option to the JavaScript tracker to exclude query parameters from the tracked URL.
_paq.push(["setExcludedQueryParams", ["uid", "sid"]]);
Existing purify() and removeUrlParameter() functions were reused.
The tracker code generator has been updated to automatically add this option to the generated javascript tracking code using the excluded query parameters configured under Websites > Settings.
Tracker code generator unit tests have also been updated to test for valid tracker code and string escaping with the option enabled.
(Initially used "setIgnoreUrlParams" as the option name as per issue report, but though it would be more consistent to use "setExcludedQueryParams" to match the existing config option and UI terminology.)
Review