I have a website that I created for the company I work at. This site is on a subdomain and is brought in as an iframe within another company's retail site, as we offer services under them. Is there a good way to track this with google analytics? I've never tracked a subdomain before, let alone in an iframe.
I've created a test analytics account, and added the top level domain, but I only put the tracking code on the pages for the subdomain that I created the site on. Will this even give me any information? and if that part of it works, is the information from an iframe setup accurate? I know from a design standpoint an iframe is kind of off in it's own world within a world, but does anyone have any experience on how google sees a site like that?
I've searched the forums and anywhere else i could think of, and they have bits of info on subdomains, practically nothing on iframes, and nothing combining the two. I have no access to adding any tracking code to the partner company's retail site either.
If your iframe hosted content is not on the same domain as the parent page (which I'm going to assume is not, based on the context of your question), then google will report the page name as the URL of the iframe, not the parent page.
GA code has a way to override the default page name, however, you cannot retrieve the parent URL in this case, because this is considered cross-site scripting (XSS).
The only way to get info about the parent page in this case is for whoever has control over the parent page that has the iframe tag, to pass the parent URL to the iframe by adding a query string parameter to the iframe src="..." attribute (also, same thing for any other info you want to pass to the iframe page). Then you can write some javascript to retrieve those values from the URL and pop whatever you want, including overriding the default reported page name (which you would do by setting the optional 2nd param to your _trackPageview call).
If the iframe content IS on the same domain (even if it is a subdomain of the parent page), then you can access the parent page properties using parent.window.whatever instead window.whatever.
Well, from what I understand, you have a page that will be inserted inside an iframe to a second page, but we need to know if the page that will host the iframe is the same domain as the calling page:
If the page called by the iframe in the same domain of the calling page:
In this case, you can insert the block of JavaScript Google Analytics, as both the iframe on the main page, and we have the measurement data from the main site, the iframe.
If the page that calls the iframe belongs to a different domain:
Some of the features that are measured are in frames within the site. These iframes indicate the domain, for example, site.com.br. Whenever a page in one domain has a frame to a different domain prevents the browser cookies that are stored inside the Iframe, which in the case would prevent the measurement.
Cookies are nothing more than small text files that are stored by your browser on the machine. Most of our cookies are session cookies that are automatically deleted from your hard disk in the closing of the window. Persistent cookies also are used by websites to facilitate identification of your computer in the next visit you make to the site. Inactivation of the cookies can be made in your browser however, this will preclude all the functions available on the site.
To allow the recording of cookies should add P3P headers in HTTP server that serves pages. This header causes no change in display mode or operation of the pages. Just instruct your browser to allow to record cookies of third, however, it has a bigger role in Internet Explorer. If you do not set, you can receive data from other browsers (Google Chrome, Firefox, Opera, etc. ..), but Internet Explorer still has a widespread use of the mass of the population.
Imagine that we have four distinct domains:
www.site1.com
www.site2.com
www.site3.com
www.site4.com
These four pages will receive the iframe tag:
<iframe Src="http://www.meusite.com.br/anuncio.php">
The anuncio.php page need to have a call header p3p for accept the third party cookies.
To add the header p3p use the code below (should be added to all pages that belong to the same domain)
ASP.Net
HttpContext.Current.Response.AddHeader ("p3p", "CP = \" "PSA CONE NOI ONL OUR BUS \" "")
PHP
header ('P3P: CP = "NOI PSA CONE ONL OUR BUS"');
JSP
response.setHeader ("P3P", "CP =" NOI PSA CONE ONL OUR BUS '")
ColdFusion
<cfheader name="P3P" value="CP='PSA CONo OUR ONL NOI BUS'" />
I hope to have helped:)
Related
I want to allow some websites to embed an iframe with a page from my domain. However, I don't want anybody to be able to use the iframe content without my permissions. How can I allow only domains of my choice to be able to embed the iframe with the page's content?
I know vimeo does this, and allows video owners to block the video on certain websites that they don't find appropriate.
I want server side ASP.NET solution, because Javascript code can be altered. However if it can be done using javascript code and its secure, It's ok.
From what I've seen, I need to pass the referrer in some way, but in a way that can be manually altered by other website owners to include the iframe themselves and it would work on their website too, without a permission.
Since it will be a standalone page as you mentioned in the comments, you can do this by inspecting the referer property.
Request.UrlReferrer
See that it contains the domain that you want to allow. This property is available when an embedder puts your page in the IFRAME's SRC attribute and the page loads for the first time.
If the user clicks on a link inside the IFRAME, it is not guaranteed to pass the containing page as a referrer.
If you want to allow multiple linked pages inside the IFRAME to allow a specific domain, then you will need to stick to a JavaScript based solution.
Note however that neither method is completely foolproof.
If I create a widget and embed it in an <iframe> on a site that is from a different domain, how much data about the parent page can the widget read?
Obviously there's no DOM access, but is there any access to other information, such as whether the parent page has a parent, or what the url of the parent page is?
Normally the content of an iframe served from a different domain cannot access the parent in any way. It's like loading the page in a different browser tab.
However, even if served from a different domain, there is a possible man-in-the-middle attack which wil allow access to the parent DOM. This is easier than it sounds -- anyone who has administrative control over a public WiFi access point could carry out this attack (think Starbucks, hotels, airports.)
It is possible to protect against this attack using the HTML5 iframe sandbox attribute -- see below.
The man-in-the-middle attack works as follows. Suppose your page loads off http://yoursite.com and the iframe goes to http://badsite.org
first http://badsite.org redirects to http://yoursite.com/badpage
This is the step that requires a man-in-the-middle attack. The attacker must either be able to get between the user and yoursite.com, or control the answers to your DNS lookup. The goal is to serve the content of http://yoursite.com/badpage from the attacker's site, not your actual site.
The attacker can then serve whatever malicious code they like from the (fake) http://yoursite.org/badpage. Because this is in the same domain as the main page, it will have access to the parent DOM.
The HTML5 iframe sandbox attribute seems to be the way to avoid this. You can read the spec, but the best description might be here.
This seems to be supported on Chrome, IE10, FireFox, Safari.
The spec says that if the "allow-same-origin" attribute is not set, "the content is treated as being from a unique origin." This should prevent your child iframe from accessing any part of the parent's DOM, no matter what the browser thinks the URL is.
Sandbox also lets you disable scripts, pop-ups, the ability to change the top level URL, and other things.
I did a little google search, and it turns out that normally you cannot access the internal guts of the Iframe if the the content is another domain (same origin policy), however there's an article here which can give you some ways around that.
Will Google Analytics count visits/page views etc if I place a hidden iFrame in my web page ?
The iFrame source has a Google Analytics tracking code installed.
My users browse the site from a mobile device such as Android/iPhone.
My purpose is that the 3rd party site will count my page views as their own (As if the user actually visited their web page)
Making the iFrame hidden is possible in several ways:
Making its style hidden.
Setting its size to a small size were the user won't notice it much.
Considering your intentions, Google Analytics will divide the data collections from both sites, even beign inside the iFrame.
Only 2 things to watch out for:
- The UAs have to be different for both sites
- P3P: Some browsers wont allow the site inside the iFrame to write cookies, as it will be considered third party, so you´ll have to use P3P to fix that.
I am working on a project in drupal in which i have an iframe loaded in another website.
I need to get the url from the address bar.
e.g., lets say i have a website embedded in the iframe as example.com...and another site embedding this iframe has the domain as abcd.com
So, the url that gets formed on accessing any content in the iframe would be like..
abcd.com/#/
I need to get this URL in the iframe.
Please help me resolving this problem. I am tryin to write a custom module for this but dunno how to proceed.
You cannot access the URL of an iframe from the outside. Think about potential XSS attacks that could occur from that:
http://yourbankingsite/account?sessid=2239872379092FEAACC2390823
Of course, this is a bad way to store the session id, but there are quite a few (and popular) sites that do this. If you had access to the iframe URL, a malicious website could be nothing but said iframe and a script to harvest the session ID.
In your iframe you could add a variable to the iframe url and use drupal 'current_path' to get the url of the iframe's parent. Then you could retrieve this variable from your iframe page(and make sure you validate it before you use it). i.e.
www.iframsite.com/iframepage?from=<?php print current_path(); ?>
I'm creating a shareable widget, for anyone to copy onto their website. The shareable piece of code is an frame that points to the actual widget that lives on our hosted site (i.e. ourdomain.com). If we ever want to tweak the actual widget, we can do so in one place, with no effect on the iframes pointing to it from other sites we have no control over.
I tried the approach of cross domain tracking. While I was analyzing the results, I observed that the path of the shared widget code (not on our domain) appears within the content view in GA. This runs counter to a response from my previous post "if it is being inserted into many domains you are going to need to set up multiple GA accounts and use different account numbers per user."
Correct me if I am wrong: Any tracking code using our unique account id will appear in our GA by default, no matter where it's hosted, whether the code is implementing cross domain tracking or not.
http://www.google.com/support/forum/p/Google+Analytics/thread?tid=6af5b4c3e30c71be&hl=en
Since any page that hosts GA tracking code shows up in our content view, I could locate where the widget is being viewed by simply looking for all pages whose name did not include ourdomain.com. Of course this includes proxy servers as well, but I was going to also include a custom variable so I could implement a filter based on the custom variable.
So explain to me where this breaks down or what I'm missing here. Is there some amount of data I am losing here because the GA cookie is not in fact being utilized? Give me a good reason why I should put in the effort to fully implement cross domain tracking, including the necessary P3P implementation on our server for IE visitors.
As a sidenote, I am considering adding GA tracking code with an event tracker within the widget itself to track when people actually USE the widget (as distinct from the when the widget is loaded). I understand that by not implementing cross domain tracking I would not be able to obtain any data about the visitor, only whether the widget was acted upon or not.
As the referring site is the primary bit of information we need,
I'm going to pass the referrer in the URL that loads the iframe content
and then overide the referrer within the tracking code
_gaq.push(['_setReferrerOverride',ht_referrer]);
as documented here:
http://www.prusak.com/google-analytics-referrer-override/
This way, I don't need to inject tracking code into my widget, just some JavaScript that adds the referrer to the URL that loads the iframe.
Wish me luck.