Are there any concerns with someone embedding the divolte js in their own page?

[david...@gmail.com]

This may be a silly question, but if someone references our divolte.js using the URL from our site on their site, would they not be signalling our collector, and essentially injecting data into our clickstream?

[Friso van Vollenhoven]

Yeah, clickstream collection like this always relies on some public endpoint that anyone can call. So event without including your script, someone can just make calls to the Divolte collection endpoint and pretend to be a browser. There is really nothing to defend against this.

While abusing clickstream collection endpoint like this is fairly straightforward, there is no major benefit to polluting someone else's clickstream data, so no one is too concerned about this in practice (e.g. Google Analytics has exactly the same problem and doesn't appear to guard against this).

Also note that if someone were to include your divolte.js tag in their page, they wouldn't set the cookies on the same domain as yours, so everything originating from that tag would be a separate set of party identifiers with clickstream for a different domain.

Cheers,

Friso

On Mon, Aug 12, 2019 at 10:47 PM <david...@gmail.com> wrote:

This may be a silly question, but if someone references our divolte.js using the URL from our site on their site, would they not be signalling our collector, and essentially injecting data into our clickstream?

--
You received this message because you are subscribed to the Google Groups "divolte-collector" group.
To unsubscribe from this group and stop receiving emails from it, send an email to divolte-collec...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/divolte-collector/70ba3f37-0a91-4253-b140-0c4ba3c586bd%40googlegroups.com.

[david...@gmail.com]

Perfect, thanks.  That is what we thought, but justed wanted to confirm our assumptions.

On Tuesday, 13 August 2019 06:23:16 UTC-6, Friso van Vollenhoven wrote:

Yeah, clickstream collection like this always relies on some public endpoint that anyone can call. So event without including your script, someone can just make calls to the Divolte collection endpoint and pretend to be a browser. There is really nothing to defend against this.

While abusing clickstream collection endpoint like this is fairly straightforward, there is no major benefit to polluting someone else's clickstream data, so no one is too concerned about this in practice (e.g. Google Analytics has exactly the same problem and doesn't appear to guard against this).

Also note that if someone were to include your divolte.js tag in their page, they wouldn't set the cookies on the same domain as yours, so everything originating from that tag would be a separate set of party identifiers with clickstream for a different domain.

Cheers,

Friso

On Mon, Aug 12, 2019 at 10:47 PM <david...@gmail.com> wrote:

This may be a silly question, but if someone references our divolte.js using the URL from our site on their site, would they not be signalling our collector, and essentially injecting data into our clickstream?

--
You received this message because you are subscribed to the Google Groups "divolte-collector" group.

To unsubscribe from this group and stop receiving emails from it, send an email to divolte-...@googlegroups.com.