How does javascript tracking work exactly?


When I am logged in into my matomo dashboard and I visit my website, I can see that the tracking code works correctly.

However when I am not logged in into Matomo, and I visit the website, no logs are imported into Matomo.

How does the javascript tracking code work exactly? Is this behaviour expected?


I am thinking about something else…
Do you use an adblocker?

If you have uBlock Origin (or some other adblocker) matomo or a “tracker” will not be able to see you. (I know that uBlock Origin block matomo code)

To log into matomo you need to disable uBO, so now matomo can see you, if when you log out you re-activate your adblocker matomo will not be able to see you again.


No, I do not have Adblock, but I think this is not a issue with Matomo but with our infrastructure. I will investigate further and give feedback if needed.


@Patrice well I have another question that might be a little “stupid”. Since the tracking code is visible in the website source, what stops random malicious users to use the same tracking code in their random websites so that their logs are sent to my Matomo webpage? Is there any type of host url authentication?


It is not stupid :wink:
By default matomo will NOT record/listen/monitor any request from another domain where the site id for a domain is not defined. Which means matomo will monitor only the domains you have set up

In the admin at /System/General Settings/ you have a " Cross-Origin Resource Sharing (CORS) domains" which allows you to add domains or sub-domains you want matomo to monitor too.

So if you did not put any domain in there (CORS) matomo will NOT monitor domains that are not in its database.

(Lukas Winkler) #6


Just to correct this a bit:

Yes, you can configure which Domains Matomo should accept website visits from (in the website settings)

But this has nothing to do with CORS. This setting just configures the CORS header Matomo sends and you should only need to change it if you want to access the Matomo API from another domain.


@Lukas Thanks to correct and clarify


Yes, you can configure which Domains Matomo should accept website visits from (in the website settings)

Can this be done configured as the default option for all the websites?


@Lukas I am asking this because I might need to import a lot of websites at once, and I would prefer than the javascript tracking will work only on the specific websites.