dcsimg

Cross-domain scripting issues with the Webtrends JavaScript tag

Products

Webtrends Analytics 8.x
Webtrends Analytics 9.x

Cause

A site using the Webtrends JavaScript tag has been identified with a “cross-domain scripting” problem. This may show up on a spyware report, a security error message, or the browser may not run the Webtrends tag script at all.

“Cross-domain scripting” means that the browser isattempting to execute a JavaScript file that is not located on the samedomain as the web page which links to it. For example, a page on www.example.com is attempting to run a JavaScript file from www.example123.com. Most browsers refuse to run a script from a different domain, as a security precaution against malware such as spyware scripts.

Resolution

Consider the two components of the Webtrends tag:

  1. JavaScript include file (webtrends.js)
  2. Inline HTML page code to execute webtrends.js
To avoid cross-domain scripting issues, the JavaScript file and website should be located on the sameprimarydomain.Usinga domain which differs from the main site will cause various problems, such as the script failing to execute, or the browser displaying a malware warning message. Please note thatusing separatesub-domains is acceptable as long as those sub-domains are of the same primary domain. For example,www.example.comandscripts.example.comis not considered cross-domain because they are both onexample.com.

More Information

Best practices for implementing the JavaScript tag:

  • Store the script and the website on the sameprimarydomain.
  • Use a relative address when the script and website share a sub-domain (of the same primary domain).
  • Use an absolute address when the script and website are on separate sub-domains (of the same primary domain).