This is the code my Piwik installations tells me to add to my pages:

<!-- Piwik -->
<script type="text/javascript">
var pkBaseURL = (("https:" == document.location.protocol) ? "https://example.com/piwik/" : "http://example.com/piwik/");
document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
</script><script type="text/javascript">
try {
var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1);
piwikTracker.trackPageView();
piwikTracker.enableLinkTracking();
} catch( err ) {}
</script><noscript><p><img src="http://example.com/piwik/piwik.php?idsite=1" style="border:0" alt=""/></p></noscript>
<!-- End Piwik Tag -->

This is the output from the Piwik module (with JS caching):

<script type="text/javascript">
<!--//--><![CDATA[//><!--
var pkBaseURL = (("https:" == document.location.protocol) ? "" : "http://example.com/piwik");
//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
try {var piwikTracker = Piwik.getTracker(pkBaseURL + "/piwik.php", "1");piwikTracker.trackPageView();piwikTracker.enableLinkTracking();} catch(err) {}
//--><!]]>
</script>

1) Importantly, the Piwik module is not adding the inline <noscript> image, which is used to track users without javascript enabled.
2) There is also a minor error in that the value of the side-id should be an integer and not a string.

On a final point, when you do not have https assigned, this line could be improved:

var pkBaseURL = (("https:" == document.location.protocol) ? "" : "http://example.com/piwik");

To simply:

var pkBaseURL = "http://example.com/piwik";
CommentFileSizeAuthor
#6 piwik-noscript-tag.688598-2.txt1.52 KBbengtan
#2 piwik-noscript-tag.688598-1.txt557 bytesbengtan

Comments

hass’s picture

hass commented
Category: bug » support

The noscript code have added piwik advertisements to you page in past. If this hasn't been removed I will not addit to the module. This is why it was removed. GA also don't have a noscript part as it is very useless to track spiders accessing you images. Users are important.

The rest is nothing to worry about. Everythingworks as it should.

bengtan’s picture

bengtan commented
StatusFileSize
new piwik-noscript-tag.688598-1.txt557 bytes

Hi,

Any chance on making the <noscript> tag configurable?

Then users can decide whether to:

1. Track non-javascript visitors and spiders (by having <noscript>), or
2. Not track non-javascript visitors and not track spiders.

Some people may decide that tracking non-javascript visitors is important enough that they don't mind also tracking spiders.

Anyway, here is a patch (against 6.x-1.1) I prepared before I found this ticket. Needs work though - not sure if it will work if the output of piwik.module is not placed in the footer.

hass’s picture

hass commented
Category: support » feature
Status: Active » Needs work

Needs check_url() and maybe $id validation or XSS may be possible.

bengtan’s picture

bengtan commented

Thanks for the feedback and yes, I agree the patch needs work.

The question is ... are you okay with the idea of making <noscript> configurable?

If so, I can redo the patch properly with configurability. If not, there's no point for me to pursue this any further.

hass’s picture

hass commented

Yes, config option is ok, but it need to be disabled by default.

bengtan’s picture

bengtan commented
Status: Needs work » Needs review
StatusFileSize
new piwik-noscript-tag.688598-2.txt1.52 KB

Hi,

Patch attached. Please review and comment. Feel free to change any of the title and description strings.

Also, this patch doesn't handle relative urls, so if you accept #751466: Allow relative Piwik http urls, then either that patch or this patch needs to be modified to resolve conflicts.

Thank you.

hass’s picture

hass commented

Now after a review of your patch I remember why I refused to implement this feature in past. The reason is very simple $_SERVER['HTTPS'] is not available behind Loadbalancers that do SSL offloading on the Loadbalancer and connect via HTTP to the webserver. I tend to say BY DESIGN.

bengtan’s picture

bengtan commented

I wasn't aware of this limitation with load balancers, but it sounds logical. If there's no other way at the server-side to detect the use of SSL besides $_SERVER['HTTPS'], then I've pushed this patch as far as I want to for now.

Thank you.

hass’s picture

hass commented
Status: Needs review » Closed (works as designed)