Google Analytics - 它可以收集表单数据吗? [英] Google Analytics - can it collect form data?
问题描述
我有一个注册表单,包含用户名,密码,电子邮件地址,可能是信用卡号。
该网页实施了Google Analytics(分析)代码。当用户点击提交时,它会转到一个没有谷歌分析的页面。
问题是..
可以GA在用户输入数据后获取第一个表单中的数据(用户naem,密码..email ..等)吗?
他们会说什么关于它在他们的服务条款或隐私政策?
是的。您包含在页面中的任何< script> 均具有完整访问权限,以改变用户与该站点之间由于相同来源策略的交互。如果Google今天感觉到Evil的确可以重写< form> 的动作来指向自己,或记录每个按键,或者在您的网站上创建包含另一个页面的< iframe> ,并模拟用户点击该页面中的任何操作。
请勿在任何页面中包含< script> 您网站上所有内容的安全性。即使任何页面上的单个跟踪或广告客户脚本都会危害同一主机名上的所有内容(如果您要设置 window.domain 以允许跨主机名脚本,或者其他子域名在主机名之间共享cookie)。
然而,Google Analytics脚本目前并不执行任何这些操作,表单提交也不会流向谷歌理所当然;他们将不得不故意采取行动窃取数据。很明显,如果发现这样做会是灾难性的,所以他们可能不会这样做。但从技术上讲,他们可以。在银行网站上看到第三方广告和跟踪脚本让我感到很痛苦。
Simple scenario: I have a signup form, with user name, password, email address, may be credit card number.
At the bottom of the page, I implement the Google Analytics code.
when user clicks submit, it goes to a page wihtout google analytics.
question is.. can GA get the data (user naem, password..email..etc) in the first form after user input the data?
Do they say anything about it in their TOS or Privacy policy?
Yes. Any <script> you include in the page has complete access to alter the user's interaction with the site due to the Same Origin Policy. Google, if they were feeling Evil today, could certainly rewrite the action of your <form> to point to themselves, or log every keypress, or create an <iframe> containing another page on your site and simulate the user clicking on any action in that page.
Do not include <script> on any page from a party you don't completely trust with the security of everything on your site. Even a single tracking or advertiser script on any page compromises everything on the same hostname (and maybe other subdomains if you are setting window.domain to allow cross-hostname-scripting, or sharing cookies between hostnames).
However, the Analytics script doesn't currently do any of these things and the form submission will not flow to Google as a matter of course; they would have to deliberately act to steal the data. Clearly it would be disastrous for them to be discovered doing it, so they presumably won't. But technically, they could. It always pains me to see third-party ad and tracking scripts on bank sites.
这篇关于Google Analytics - 它可以收集表单数据吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
