Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

I recently started having issues with the admin interface of a website I run and decided to check the browser console to see if any errors were being displayed there. There were and among them was an error stating that a JavaScript map file being loaded (and failing) that I did not recognise. This meant that the actual JavaScript file itself was already loaded via my website. This set off all sorts of alarms for me and I started to dig in further.


I checked the file system for any suspicious files, there were none. I checked the source code and templates for evidence of anything that has been added, there was nothing there. Yet all my pages were being served with the following <script> injected into them just before the closing </html> tag...
<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpsh'},{'server':'xxxxxxxx0000'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script>

Of course that comment in the script was a give away of what was going on but I didn't immediately want to believe that the website host itself would be injecting a JavaScript script into my website without my consent! Turned out that's exactly what GoDaddy was doing and they justified it as collecting metrics to improve performance.

The technology that's in use here is called Real User Metrics and GoDaddy has a page about it here - Why am I signed up for Real User Metrics?. If you happen to be a customer in US (which I am not but the website is hosted in a US data centre) then you are automatically opted into this service and all your website's pages will have this JavaScript injected into them.

The worst part of it is GoDaddy, in their help article, admits that this could slow down or break your site! So much for a tool that is designed to improve performance and reliability!
Most customers won't experience issues when opted-in to RUM, but the javascript used may cause issues including slower site performance, or a broken/inoperable website.

Luckily there is a way to turn this off - by opting out. Here's how. From the Hosting console, click on the ellipsis (...) in the top right hand corner, then click 'Help Us'.

On the dialogue box that comes up, click 'Opt Out'.

You can only opt-in or opt-out once every 24 hours - which is plenty enough to make this go away. After opting out this JavaScript disappeared from the website.

I am not against web host providers monitoring how their servers are running. Using a technology like RUM is a great way to do it, but this is meant to be a passive technology that is invisible to the end user. Injecting JavaScript into pages being served is far from passive and, at least in my eyes, is a violation of trust between the web host and the customer. I suggest you take this issue into account and make sure to read more about GoDaddy before you settle on a hosting provider.

By the way the issues I was having with the admin interface turned out to be unrelated to this but were rather a bug in Safari which is resolved by closing Safari down and opening it again, maybe more on that later though.


A quick disclaimer...

Although I put in a great effort into researching all the topics I cover, mistakes can happen. Use of any information from my blog posts should be at own risk and I do not hold any liability towards any information misuse or damages caused by following any of my posts.

All content and opinions expressed on this Blog are my own and do not represent the opinions of my employer (Oracle). Use of any information contained in this blog post/article is subject to this disclaimer.
Hi! You can search my blog here ⤵
NOTE: (2022) This Blog is no longer maintained and I will not be answering any emails or comments.

I am now focusing on Atari Gamer.