Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

I recently started having issues with the admin interface of a website I run and decided to check the browser console to see if any errors were being displayed there. There were and among them was an error stating that a JavaScript map file being loaded (and failing) that I did not recognise. This meant that the actual JavaScript file itself was already loaded via my website. This set off all sorts of alarms for me and I started to dig in further.
rum_1.png

rum_2.png


I checked the file system for any suspicious files, there were none. I checked the source code and templates for evidence of anything that has been added, there was nothing there. Yet all my pages were being served with the following <script> injected into them just before the closing </html> tag...
 JavaScript
<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpsh'},{'server':'xxxxxxxx0000'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script>


Of course that comment in the script was a give away of what was going on but I didn't immediately want to believe that the website host itself would be injecting a JavaScript script into my website without my consent! Turned out that's exactly what GoDaddy was doing and they justified it as collecting metrics to improve performance.

The technology that's in use here is called Real User Metrics and GoDaddy has a page about it here - Why am I signed up for Real User Metrics?. If you happen to be a customer in US (which I am not but the website is hosted in a US data centre) then you are automatically opted into this service and all your website's pages will have this JavaScript injected into them.



The worst part of it is GoDaddy, in their help article, admits that this could slow down or break your site! So much for a tool that is designed to improve performance and reliability!
Most customers won't experience issues when opted-in to RUM, but the javascript used may cause issues including slower site performance, or a broken/inoperable website.


Luckily there is a way to turn this off - by opting out. Here's how. From the Hosting console, click on the ellipsis (...) in the top right hand corner, then click 'Help Us'.
rum_3.png


On the dialogue box that comes up, click 'Opt Out'.
rum_4.png


You can only opt-in or opt-out once every 24 hours - which is plenty enough to make this go away. After opting out this JavaScript disappeared from the website.

I am not against web host providers monitoring how their servers are running. Using a technology like RUM is a great way to do it, but this is meant to be a passive technology that is invisible to the end user. Injecting JavaScript into pages being served is far from passive and, at least in my eyes, is a violation of trust between the web host and the customer.

By the way the issues I was having with the admin interface turned out to be unrelated to this but were rather a bug in Safari which is resolved by closing Safari down and opening it again, maybe more on that later though.

-i

Skip down to comments...
Hope you found this post useful...

...so please read on! I love writing articles that provide beneficial information, tips and examples to my readers. All information on my blog is provided free of charge and I encourage you to share it as you wish. There is a small favour I ask in return however - engage in comments below, provide feedback, and if you see mistakes let me know.

If you want to show additional support and help me pay for web hosting and domain name registration, donations, no matter how small, are always welcome!

Use of any information contained in this blog post/article is subject to this disclaimer.
 
comments powered by Disqus
Other posts you may like...