google-analyticsbrowser-extension

Can't Add Google Analytics to Chrome extension without api_secret


Can someone please help me add gtag to Chrome extension? My chrome extension includes a newtab.html page that overrides new tab. I found a tutorial here: https://github.com/GoogleChrome/chrome-extensions-samples/tree/main/functional-samples/tutorial.google-analytics. and it's working well. But my concern is, is it ok if that <api_secret> mentioned in scripts/google-analytics.js in that repository to be in extension code?

I think it's impossible to hide such static API_SECRETS in chrome extension code. But I wanna know what happens if someone finds this particular <api_secret> and why that official tutorial added this in extension's client side code which anyone can see.

by the way, I generated that <api_secret> from: Admin -> Data collections and modifications -> Data Streams -> selected my stream -> Measurement Protocol API secrets -> Create

Expecting to know if there's a way to link gtag without using api_secret. Or if there's no other way, what can possibly happen if this api_secret is known to public.


Solution

  • This uses the API secret because it doesn't actually use gtag.js. It uses the measurement protocol. The MP is meant to be used on the backend though can be used anywhere. It's just an API.

    From the example you've linked, it seems like that tracking is being used to track the popup. Which is odd since why not just import your gtag.js exactly how google offers it for regular web pages. Maybe there are some limitations in extensions regarding loading gtag in it? Gtag is definitely larger than the code you've linked to.

    The example you've linked to should also be able to allow you to send events from your background script, which gives you waaaay more tracking power than just in the popup. gtag.js won't be able to work in the background as far as I know.

    Regarding the api secret. In your case, there's no danger at all exposing it because the only thing it allows is sending the events to its data stream, nothing else. Since your events are being sent on the front-end, they're already sniffable and are equally vulnerable regardless of whether they're protected with the api authentication or not. Even if the key wasn't exposed in the extension's source, it's still visible in the network or could be easily sniffed by deploying a local mitm. It's not that valuable on the backend either given how you get measurement ids for every data stream that effectively act as an auth key, but shorter.

    Finally, personally I never add tracking to my extensions. While I don't care whether I'm tracked or not, I consider it a good tone not to track people who use your products. I see it as a small breach of trust. Lots of people aren't comfortable with being tracked. Just a bit of food for thought.