We recently discovered an issue with our suggested installation of the tracker client. Specifically, that we were using protocol-relative URLS and using the crossorigin attribute:

<script type="text/javascript" src="//d2zah9y47r7bi2.cloudfront.net/releases/current/tracker.js" crossorigin="anonymous"></script>

We’ve talked about the crossorigin attribute before, because it helps prevent browsers from obfuscating error messages. But if the script is not served with the CORS headers, the browser blocks the script entirely.

This shouldn’t have been a problem , as we’ve configured Cloudfront to serve with CORS headers. However, some nasty corporate proxies strip the Origin header from unencrypted requests, preventing Cloudfront from processing CORS!

This had the unfortunate effect of blocking the tracker from loading for certain users of unencrypted sites. This is irresponsible behavior on the part of the corporate proxies in our opinion, but c’est la vie.

We are changing our installation recommendation to always load the tracker script via SSL. This has a negligible performance hit due to the SSL handshake, but makes the request secure from these man-in-the-middle manipulations. We encourage you to update your tracker installation to use SSL

<script type="text/javascript" src="https://d2zah9y47r7bi2.cloudfront.net/releases/current/tracker.js" crossorigin="anonymous"></script>

Not using TrackJS? Let us manage all this complexity for you and tell you when your users run into trouble. Get started with 30 days of free error tracking and bug fixing.