Crossorigin Scripts and Corporate Proxies
We recently discovered an issue with our suggested installation of the tracker client. Specifically, that we were using protocol-relative URLS and using the crossorigin attribute:
<script src="https://cdn.trackjs.com/agent/v3/latest/t.js"
crossorigin="anonymous"></script>We’ve talked about the crossorigin attribute before, because it helps prevent browsers from obfuscating error messages. But if the script is not served with the CORS headers, the browser blocks the script entirely.
This shouldn’t have been a problem , as we’ve configured our CDN to serve with CORS headers. However, some nasty corporate proxies strip the Origin header from unencrypted requests, preventing the browser from processing CORS!
This had the unfortunate effect of blocking the tracker from loading for certain users of unencrypted sites. This is irresponsible behavior on the part of the corporate proxies in our opinion, but c’est la vie.
We are changing our installation recommendation to always load the tracker script via SSL. This has a negligible performance hit due to the SSL handshake, but makes the request secure from these man-in-the-middle manipulations. We encourage you to update your tracker installation to use SSL.
Not using TrackJS? Let us manage all this complexity for you and tell you when your users run into trouble. Get started with 14 days of free error tracking and bug fixing.
