6 Issues to watch out for with JS Event Tracking

All behavioral analytics platforms track user actions, using several alternatives for integration within a website or app. One of the key methods is using a designated event tracker for JavaScript. In addition to understanding the importance of using this method, one must also recognize that there are a number of inherent issues to beware of when implementing JS event tracking, including:

  1. Standard and secure code
  2. Cross-site scripting
  3. Cross-browser functionality
  4. Minimal site performance impact
  5. Cross-topology and location functionality
  6. Data limitations


Standard and Secure Code

JavaScript is a critical component in the capture of events for use in any analytics platform. We recognize the importance of using code that customers can easily and safely incorporate into their sites and apps.

Standards are needed for formatting and styling JavaScript code to maintain consistency, and to ensure an easy implementation process.

There are a number of inherent security issues to be considered when creating JavaScript code. It is crucial to make every effort in the area of security, so that the tracking code is safe for use in all environments.


Cross-Site Scripting

One of the most significant security vulnerabilities found in client-side scripting is called cross-site scripting (XSS). XSS enables attacks on web pages through the injection of client-side scripts which can then be viewed and executed by other users. This type of attack can be used, as an example, to bypass access controls on the site. Dynamically generated HTML pages are susceptible to this, unless inputs are validated either on the way in or out.

If input to a dynamic page is not validated, the following issues can result:

  • Compromised data integrity
  • Manipulation of cookies
  • Capture of user input
  • Execution of malicious scripts, as if they were from a trusted source

Cross-site scripting attacks can generally be prevented by encoding output based on input parameters, and filtering the input and output parameters for special characters. Including simple validation checks on the inputs and outputs can provide the protection that is needed against this vulnerability. Every site, page, and field must be evaluated for the cross-site scripting vulnerability.

We at CoolaData develop our JavaScript code with these concerns in mind, and provide our customers with the instructions and assistance they need to implement it securely and successfully.


Cross-Browser Functionality

Making sure that your JavaScript code works on all of the various browsers and platforms that exist is a major undertaking, and one that cannot be overlooked. JS event tracking scripts must be able to function in all environments, and provide the required features in all situations. More advanced analytics tools use cross-browser techniques, such as feature detection and testing, to ensure that the code is truly cross-browser functional. The code should comply with all standards for browser scripting languages published by the World Wide Consortium (W3C) on Document Object Model (DOM).


Minimal Site Performance Impact

It is important for any JavaScript code developer to make sure that their script does not impact the performance of the site in any of the following areas:

  • Response times
  • Errors
  • Exceptions
  • Memory consumption

Good performance is essential for a good user experience on a site. Users expect reasonable load times, smooth animation, and responsive interaction. When these are achieved, the user feels a sense of immersion in the site. If that is lost, then you’ve lost the user. For that reason, it is critical to minimize any impact on the end user experience due to performance issues.


Cross-Topology and Location Functionality

JavaScript code must work from any client, at any time. Regardless of the physical or virtual environment that the client is working from, the code must execute properly, without fail.

For example, if our customer is based in the US, and his customers are based in China, the script needs to run perfectly across the following:

  • Countries or continents
  • Communication providers
  • Physical or virtual networks


Data Limitations

There are certain data limits that must be understood when creating JS code. In order to avoid the ‘maximum request length exceeded’ type of message, we must know what those limitations are.

The difference between the maximum length of an HTTP GET request and an HTTP POST request, and when it is appropriate to substitute one for another is crucial. There are data limits both on the client and server side to consider, and each request type relies on the client or server differently.

Most web servers have a default limit of about 16Kb for HTTP GET requests, but the limit for HTTP POST is normally 2Gb. The GET request is much more reliant on the client browser, and each browser has its own limit as well. For instance, HTTP GET requests have the following limits for these browsers:

  • Internet Explorer: 2Kb
  • Opera: ~200Kb
  • Firefox: ~100Kb
  • Chrome, Safari : ~100Kb (both based on webkit)

If the limit for the HTTP GET request is exceeded in either the browser or server, then often times the extra characters will simply be truncated. Other times, you may receive an HTTP 414 error. In the case where the limit for the HTTP POST request is exceeded on the server, then an HTTP 500 error is usually the result.

These are some examples of the detail that must be paid to the issue of data limitations when coding with JavaScript.



All of the points mentioned above are key to production grade JS tracking code.  CoolaData uses JavaScript event tracking to capture important data about user behavior for the purpose of Analytics. While implementing this powerful tool, we also recognize the issues involved in its use.

We at CoolaData want our customers know that adhering to standards, understanding the importance of security, and providing for site functionality are issues that we take seriously.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *