Widget embed question

Hi,
i am learning how to embed piwik widgets.

i’ve read that i can “embed” them in several ways:

  • passing the security token, useful on “private” pages
  • without the security token, useful on “public” pages, but i need to allow at least “read” for anonymous users…

well, i was thinking instead to use PHP (passing widget url with my secret token to file_get_contents…) to get the widget HTML and then embed only the resulting HTML on a web page, i tried and it… kinda works, but style and behaviour is broken, i think because some css and js file in the widget HTML are linked using relative urls

like


<link rel="stylesheet" type="text/css" href="index.php?module=Proxy&action=getCss&cb=d507bfb5bdcd3ffe650529b5fb1b6537" />

and the same for all the graphic elements of the widget, like


<img class="sparkline" alt="" src="?module=VisitsSummary&token_aut.....

the widget HTML, with relative links, of course works perfectly in IFRAME tags, because they use an absolute SRC attribute, and inside IFRAMES all relative links are resolved to that absolute SRC, but in my case i get weird things because those relative links are resolved against my PHP script absolute URL, which has nothing to do with my piwik server URL…

Would it be possibile to use a GET parameter in the widget callin URL to have absolute links? And would they work?

Thanks,
Marco

The solution would be to put your proxy script in an iframe

…yes… that should work, to be honest it thought of that at the very beginning…
…but later completely forgot to explore that possibility… :sunglasses:

thank you, i will report here my results, as a feedback for other users! :slight_smile:

Marco

…well, maybe i miss some point but that doesn’t work either… :frowning:

  • i have piwik server on “piwik.mysite.com
  • i have a “monitoring site” (“www.mysite.com” ) and there a page where i want to embed a widget (in a iframe tag) from the piwik server, but without putting the “auth token” in the url of the iframe’s src attribute, and without having to give “view” to anonymous users.

if i put my “php proxy code” as src in the iframe, on “www.mysite.com”, i get there the “widget html code”, but it’s broken, and if i look in this iframe content, all relative links are broken, because the “php proxy code” is also on “www.mysite.com” and not on “piwik.mysite.com”, so linked style sheets like


<link rel="stylesheet" type="text/css" href="index.php?module=Proxy&action=getCss&cb=d507bfb5bdcd3ffe650529b5fb1b6537" />

and the same for all the graphic elements of the widget, like


<img class="sparkline" alt="" src="?module=VisitsSummary&token_aut.....

resolve to the iframe src attribute, which is on “www.mysite.com” and not “piwik.mysite.com”, where style linked script and style sheets are to be found…

i think that there could be another API parameter for this, asking something “links=absolute”, where the default value could be “relative”…

i made it work with two str_replace instructions in the “php proxy”, like:


$piwik_widget_code=file_get_contents($piwik_api_url);

$piwik_widget_code=str_replace("href=\"index.php", "href=\"http://piwik.mysite.com/index.php", $piwik_widget_code);

$piwik_widget_code=str_replace("src=\"index.php", "src=\"http://piwik.mysite.com/index.php", $piwik_widget_code);

$piwik_widget_code=str_replace("href=\"?", "href=\"http://piwik.mysite.com/?", $piwik_widget_code);

$piwik_widget_code=str_replace("src=\"?", "src=\"http://piwik.mysite.com/?", $piwik_widget_code);


and in this way, in the iframe I get a perfect widget… without having to share auth token, or granting view to anonymous users… (:P)

[update] well almost perfect, because ajax functionality is broken, with this proxy (like the lower ajax graph links in VisitsSummary Widget) :frowning:

[update #2] …mmm… no, the widgets i get have links (those which enable you to get json data, bar graphics, different data series) that expose the auth token anyway, despite all my effort to use a “php proxy” to hide it… :sunglasses:

no, for now, i’ll try regular iframes, and adding the token in the url but limiting acces to my lan IP with .htaccess … best of what can be done now…

What you think? Any other suggestion?

Thanks! Marco

What are exactly your security requirements?

Can’t you create a special user with only read access for that specific use case?

…hi! thanks for replying!

well, i’m not sure, i’m just exploring the possibilities - i’m quite new to web stats and piwik in particular, but love it.

i am wondering how to make piwik useful, safe and easy for my company: i think i will end up keeping an “internal” page with some easy-to-read graphics and numbers about our web sites, and/or PDFs to download, but i don’t like the idea that people could grab a “auth token” reported by urls in graphics, or iframes, and share that with friends, or others. I just feel that not so safe for our “usual” policy.

I could of course use anonymous, with read only permissions, but without other limitations, that would allow anyone to get on my piwik server and explore everything, and i can’t do that: nothing that secret, but we wish to control what to make available, and the server load can be too much for us, too.

I could also of course create a user with read only permissions, but with piwik’s so powerful widgets, anyone grabbing a link with the auth-token could use it to show on his pages our stats, even “live” with some widget, and this could be not desirable, if not for the load that this could put on our servers. I am doing this, atm, with an .htaccess policy, as said above, so even having an url with a valid token, you can see stats about us only from our LAN (i could use other criteria, but atm it’s like that), and not from your home, or from another company, perhaps, loading our server, too!

i can also make a schedule and send reports via e-mail, but widgets on a web page are so cool… and you can interact with them, too: this is great, and think it will make a big impression, and will be so useful, in the end… i just wan tto take absolute control about what,when, how to share, about our stats…

…open to further considerations…

Thanks, Marco

If you use the provided piwik code in the “Widgets” screen it will work, for example:

[quote=matt]
If you use the provided piwik code in the “Widgets” screen it will work, for example:

[/quote]

yes, it works, but:

  • if you want to have “private” stats, you have to put an auth token (or you must be already logged to piwik in the same browser instance…)
  • if you want to share those “private” stats you have to put an auth token in the iframe src
  • if you put an auth token in the iframe src anyone can get the auth token, reading html source…
  • anyone has a valid auth token, they can load any number of widget and reports, and api goodies with that. > load on y servers, stats i don’t want them to see…

…i do not want anyone getting freely my stats, i want to be the only one in control of when / what / how to share my private stats…

i’m not saying piwik should do this, :slight_smile: i’m just saying i hoped to use it like this… i fear that it is not possibile, through piwik widgets directly
i could use PHP or else to directly query the piwik database, get the numbers, and build graphics and stats… in this way i could do what i need without sharing or publishing tokens…

Marco

Or you can use a “php bot” or “php proxy” script that will automatically add the URL prefix in the iframe renders

[quote=matt]
Or you can use a “php bot” or “php proxy” script that will automatically add the URL prefix in the iframe renders[/quote]

i already tried using php to retrieve the iframe widgets, as reported above, but did not like how it worked: i still had token “embedded” in the widget code, and ajax not properly working, but maybe I missed some points: what are you exactly suggesting with php bots/proxy? :S

Marco

I think matt is suggesting you should create a PHP proxy which will append server side the token auth.

This way, the embedded widget would not supply the token auth at any time.

To avoid abusive use of this PHP proxy, you should make some safety tests on the requested report.

If it doesn’t already exist, you could create a ticket in trac to ask for a feature request which allow finer ACL. If you need it quickly you could also sponsor such a feature.

[quote=JulienM]
I think matt is suggesting you should create a PHP proxy which will append server side the token auth.
This way, the embedded widget would not supply the token auth at any time.
.[/quote]

i don’t get this… what i already tried (read above) is

  • put a php script in my “public” iframe, instead of the API Rest URL + auth-token
  • the php script gets the widget “html” through the API Rest URL + auth-token (file_get_contents), in a variable
  • the php script “prints” the widget “html” fro mthe variable in the iframe body

this, apart the need to make the “relative” URLs “absolute”, like already said, works, i have my widget in the iframe without having passed any auth code/token BUT the problem is that widgets are “dynamic” objects:

  • they use ajax ways to update their grahpics, get data in different shape/form (eg: XML, CSV, Json, ecc),
  • because of this they use the API Rest URL + auth-token: it’s in the widget “html” code…readable. which i don’t want.
  • widgets do not know my php script, they always try to “talk” directly to the piwik server, not my php script: and they do this with relative urls, thus they resolve to my embedding server and so ajax is broken! (i could fix this parsing the jquery code and modify it to make those realtive urls absolute, to my piwik server, but… i’m going out of scope here… too complex to fix and too easily breakable by piwik updates)

yes i could modify the piwik report-generation code, but that would be breakable by next piwik updates

[quote=JulienM]
If it doesn’t already exist, you could create a ticket in trac to ask for a feature request which allow finer ACL. If you need it quickly you could also sponsor such a feature.[/quote]

i like the idea of ajax widgets, which the user can explore and adjust, get the data, etc.
Ideally, i feel widgets should - IF and only IF embedded in public pages - be autonomous from the piwik server, once generated:

  • they should have locally (ie: in the iframe body) all the data they need to be dynamic, without requiring an auth token to retrieve more data
  • instead public “resources” like jquery code/images, styles should still be linked to the piwik servers BUT with absolute links, not relative.
    this behaviour could be “switched on” by a REST parameter, like “safe-embed=yes”, or else… while by default they could behave like usual.

atm i feel it’s impossibile to make piwik widgets behave like i need. But, as already said, now i “kinda solved” my privacy concerns using .htaccess rules, but i feel this like brute-force approach, which i like to use only as a last resort…

i could create a ticket in trac as you said, but first i have to understand if i am missing some point here, i’m too new to piwik, i could be misunderstanding something…

Thanks, Marco

We’re talking about something like this : Emphasize IT - Software-Entwicklung in Jüterbog von Martin Hennig