Ticket #588 (new New feature)

Opened 3 years ago

Last modified 4 months ago

New admin setting: only track visits on these domains / URLs hosts

Reported by: maze Owned by:
Priority: major Milestone: 1.x - Piwik 1.x
Component: Core Keywords:
Cc: Sensitive: no

Description

Piwik statistics can be distortet by copying the JavaScript code to third party sites. In the "Websites Management" you can add new sites with their URLs. But everybody can copy your JavaScript code to his own site and manipulate your statistics.

Piwik needs to be updated with a function that defines domains that are allowed to be counted.

Change History

in reply to: ↑ description   Changed 3 years ago by gre3d

This option will only be viewable if you login as an admin? Other users that you just want checking stats should be given different login w/o admin credentials so they cannot go to site management.

View access will not show the javascript code shown to track within the Piwik front end.

  Changed 3 years ago by vipsoft

  • summary changed from Piwik statistics can be distortet to Piwik statistics can be distorted
  • type changed from Bug to New feature
  • milestone set to Features requests - after Piwik 1.0

Piwik relies on information sent by the browser. Whatever we do on the server, there is some implicit trust that what the client sends is not malicious.

Server side filtering might incur the performance penalty concern raised in ticket #9. Redesignating this ticket as a plugin feature request.

A benefit of the current implementation is that discrepancies in one's stats may help to identity copyvio or malicious activity to be blocked.

  Changed 3 years ago by vipsoft

  • priority changed from major to normal
  • component changed from Core to Plugins

  Changed 3 years ago by vipsoft

  • summary changed from Piwik statistics can be distorted to Plugin: Domain filtering

Requirements:

  • UI to enter domain name(s) for this site, e.g., example.com, www.example.com, example.subhosting.com, subhosting.com/example/
  • Filter out URLs which don't match domain names for this site
  • Provide report of filtered URLs (group by domain) to identify potential copyvio or malicious activity

  Changed 3 years ago by matt

There is now a mechanism that is used to cache site- data in files to be loaded by piwik.php tracker code. That wouldn't add the lookup at tracking time.

on the UI side we already ask for multiple URL alias for the website. we could simply add a checkbox (disabled by default): "Exclude all visits that do not load the Piwik code from one of these URLs".

I agree with vipsoft suggestion of reporting malicious activity, but not in V1.

  Changed 2 years ago by spomoni

  Changed 2 years ago by spomoni

  Changed 19 months ago by matt

  • sensitive unset
  • summary changed from Plugin: Domain filtering to New setting: only track visits on these domains

  Changed 19 months ago by matt

  • milestone changed from Features requests - after Piwik 1.0 to 5 - Piwik 1.1

  Changed 16 months ago by vipsoft

  • owner set to vipsoft

  Changed 16 months ago by matt

Correction: this should be in core, not in a plugin as I previously suggested.

  Changed 16 months ago by vipsoft

  • owner vipsoft deleted

  Changed 15 months ago by matt

  • milestone changed from 1.1 - Piwik 1.1 to Features requests

  Changed 15 months ago by matt

  • priority changed from normal to major
  • summary changed from New setting: only track visits on these domains to New admin setting: only track visits on these domains

  Changed 15 months ago by matt

  • component changed from New Plugin to Core

  Changed 13 months ago by matt

Also, the http referer should be checked and it should be non empty, and have one of the known domain URL.

  Changed 13 months ago by matt

  • summary changed from New admin setting: only track visits on these domains to New admin setting: only track visits on these domains / URLs hosts

  Changed 13 months ago by vipsoft

The basic check is on the url parameter in the request.

The Referer check has to be separately enabled/disabled to accommodate use cases, such as:

  • when the visited page is https, but the tracker is http (in which case, the Referer is empty)
  • to mitigate undercounting visits when user agents block the Referer via add-on / privacy setting

  Changed 4 months ago by matt

  • milestone changed from Feature requests to 1.x - Piwik 1.x
Note: See TracTickets for help on using tickets.