Bug 1379607 - Reimplement Google Analytics on bugzilla.mozilla.org

[kyoshino]

Fix Bug 1379607 - Reimplement Google Analytics on bugzilla.mozilla.org

Features

• Add a new, portable extension with an admin panel where each Bugzilla instance can enable GA by simply providing their Tracking ID, like WordPress.com
• Allow site admins to toogle debugging mode so they can test GA using the browser's console
• Log template names instead of actual URLs so it's easier to distinguish some multiple section pages, e.g. search options and user preferences

Security

• Modify CSP to allow GA to run, but it doesn't require unsafe-inline especially on the home page, since the modified tracking code doesn't rely on any inline script
• Disable tracking on confidential bugs as well as of core-security group members
• Prevent URL params being sent to GA by only logging template names as noted above, and using the location field instead of the page field for page view tracking
  • I've noticed that, if the page field is used like the previous implementation, the location field is automatically sent to GA with the actual URL containing params, though you may only see the page field on GA reports. So the location field should be used to address the security concern

Privacy

• Omit part of the page title of some user-related pages
• Respect Do Not Track, with the help of dnt-helper.js, in accordance with Mozilla Website Privacy Notice
• Anonymize IP address for even better privacy

[floatingatoll]

Could you say more about this part: "Anonymize IP address, rather than respecting Do Not Track" ?

[kyoshino]

Anonymizing IP address is a feature of GA itself. GA will still track visitors but it doesn't record their real IP address.

I believe that site analytics using 1st party cookies is not subject to Do Not Track, and the previous implementation didn't respect DNT actually. But hmm, Mozilla's Website Privacy Notice says GA needs to be disabled when DNT is used:

If you have configured your browser to send a “Do Not Track” signal when accessing our websites, Mozilla will not utilize any of the tools described in the Metrics section.

Then I'll update the pull request to get it covered.

[kyoshino]

Okay, so I've eventually made a separate extension with a new admin panel, making the tracking ID configurable.

[dylanwh]

@kyoshino I haven't seen anything beyond what glob noticed. The test failure is not related (just noise). Do you have time to make those changes or do you need me to step in and do it?

[kyoshino]

@globau Thanks for your review! @dylanwh Updated the PR to address the comments. Also added collapse to the title filter to make sure a proper page title is sent to GA.

[dylanwh]

Getting an error:

Content Security Policy: The page’s settings blocked the loading of a resource at data:application/javascript;base64,KGZ1b

[kyoshino]

On which page? I don't see any error on my vagrant box 🤔

[kyoshino]

You might have uBlock Origin enabled, like mozilla-services/screenshots#2790