2

I noticed a recent error log e-mail showed that one of my intranet app's users had, for our non-FQDN, never-GA-using intranet app, a standard _ga cookie in addition to my app's normal cookie on the domain myapp. How could it have gotten there?

(I.e. shouldn't that require me to include some Analytics script of some kind? How can they put a cookie on my domain without me serving up any of their code? Isn't this some kind of security breach, when I never use Google Analytics?)

The only thing I can think of that might be related is we had a few users who would be redirected to a Google search for "myapp" when they would write myapp in the address bar, after Firefox changed the default way this was handled around version 32 or so. But how that would then allow GA to send a cookie for our private non-internet-accessible domain is what I don't understand, because I thought that was not allowed.

Kev
  • 15,899
  • 15
  • 79
  • 112
  • 1
    Perhaps one of your users did for a lark execute the GA code in his browsers console. Frankly I do not think this is an answerable question, but Google does not and cannot slip cookies into your domain and there would be no profit for them if they could. – Eike Pierstorff Jul 31 '15 at 15:38
  • @EikePierstorff, I don't think this particular user knows what the browser console is, let alone would go get GA code from somewhere and try to execute it. Maybe it's a browser bug? – Kev Jul 31 '15 at 15:49
  • Assuming the user didn't do it, the only scenario in which I could see this happening would be if the user had a browser plugin installed that manipulated the page into making the call. – joshb Jul 31 '15 at 21:16
  • @joshb that could be it, I'll check their installed plugins. – Kev Aug 01 '15 at 08:12

0 Answers0