ktmud commented on pull request #12315: URL: https://github.com/apache/superset/pull/12315#issuecomment-755936639
@mistercrunch The library you mentioned had a disclaimer [on there GitHub page ](https://github.com/googleanalytics/autotrac) saying it is no longer actively maintained. And I believe it is deprecated for a reason: the DOM-based approach is unreliable and not scalable. Hook tracking into native browser events without letting the app itself know sounds monkey-patchy and could easily break. You never know how it will interact with app code (or library code that you have no control of). It may work well for getting quick stats from simpler apps, but could quickly fall short of usefulness in a complex app like Superset. A proper way to do this is to provide a generalized interface for client-side tracking, plant the track code in proper places, and let administrators/developers decide where the events are sent to. If all we want is to have a quick way of injecting GA scripts, we could just introduce a `preambleExtra.ts` override file. This way, 1. We don't have to worry about the additional risk of arbitrary content in the HTML. 2. The tracking code can still have access to ESM modules (hence Superset app context) if needed, which in general is not possible with script tags. As regards to the security risks, I am no expert in this area, but I'd imagine the security risks between having access to `app.config` vs having the ability to inject arbitrary HTML code to the end users are still different. The attackers could do a lot of nasty stuff via the browser----e.g. making a request to an internal URL that only an authorized user in the browser has access to. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
