search

shurcooL / Go-Package-Store

An app that displays updates for the Go packages in your GOPATH.
MIT License
900 stars 29 forks source link

Google Analytics URL's procotol should be HTTPS (or relative) #83

Closed bradleyfalzon closed 7 years ago

bradleyfalzon commented 7 years ago

I use Go-Package-Store behind a HTTPS reverse proxy, so connects via HTTPS, but the updates page loads Google Analytics javascript via HTTP.

https://github.com/shurcooL/Go-Package-Store/blob/b83b9aa8766697f6897f2d3e5d25aa292a893410/cmd/Go-Package-Store/index.go#L20

I think that the URL should be https://www.google-analytics.com/analytics.js, as there's little reason why you wouldn't want this over HTTPS anyway, but it probably could be (haven't checked) //www.google-analytics.com/analytics.js.

I do note that HTTPS is the default from Google Analytics, so unsure whether this was intentional.

bradleyfalzon commented 7 years ago

Having said this, I don't mind the GA is broken, is there any reason you want it to be running on my instance?

dmitshur commented 7 years ago

Thanks, I'll look into it. Using either https or omitting scheme from the URL is likely a good solution.

is there any reason you want it to be running on my instance?

The motivation was explained in commit message of e294f927573ab24be168ea7733997bae61900dc9.

That said, I'm open to consider removing it if it improves the user experience. But the downside is that I might end up investing less time/effort in GPS if I don't know how often it's used, so the user experience might end up suffering instead. It's a tough call.

What are some benefits if it's removed?

bradleyfalzon commented 7 years ago

What are some benefits if it's removed?

It's more that it wasn't expected, it's tracking my usage of the software without me knowing - this is normal for websites, but I wouldn't have considered the same for software I run locally. I trust you, and have no problems in this.

Perhaps noting this behaviour in the README, along with a flag to opt-out?

EDIT: but I don't want to derail this issue into whether it should be enabled or not, I have no problems if it's running, if others do, they can raise the issue and reasons themselves.

dmitshur commented 7 years ago

Sounds good, we'll limit the scope of this issue to getting the URL scheme resolved. Removing or dealing with GA altogether can be discussed in a separate issue.