Google analytics javascript snippet analysis

Question

Just wondering how google analytics code snippet works in terms of javascript programming.

<script type="text/javascript">

  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-XXXXX-X']);
  _gaq.push(['_trackPageview']);

  (function() {
    var ga = document.createElement('script');
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 
        'http://www') + '.google-analytics.com/ga.js';
    ga.setAttribute('async', 'true');
    document.documentElement.firstChild.appendChild(ga);
  })();

</script>

1) We push 2 elements onto _gaq array but when does it actually get executed/used especially since ga.js is sitting on remote server? I tried looking into ga.js code but it's really confusing.

2) What would happen if the site was https:// but we still linked the javascript as http://www.google-analytics.com/ga.js

(function() {
        var ga = document.createElement('script');
        ga.src = 'http://www.google-analytics.com/ga.js';
        ga.setAttribute('async', 'true');
        document.documentElement.firstChild.appendChild(ga);
      })();

Answer 1

_gaq is a global variable (in browsers global variables are stored in Window object)

And its referenced in https://ssl.google-analytics.com/ga.js like this:

   var He = function () {
      var a = W._gaq,
      b = l;
      if (a && Aa(a[p]) && (b = "[object Array]" == Object[y][w].call(Object(a)), !b)) {
         Z = a;
         return
      }
      W._gaq = Z;
      b && Z[p][xa](Z, a)
   };

Also W refers to Window global variable (the script is minified to save bytes):

   var W = window,

For your convenience, I have pasted a formatted version of ga.js here: http://pastebin.com/sBmeSg9M

Look at line 603 and line 1956.

Answer 2

1. The Google Analytics code gets loaded and run on your page, at your domain, hence it has access to window and all the variables defined on it. _gaq is the magic variable name that Google's code inspects when it runs to see what has been defined and uses the values it finds to begin tracking things. It then tracks changes to this variable for the duration your page is loaded (which is how it does click event tracking etc).

2. As others have mentioned, failing to use the HTTPS URL for Google Analytics on a page served over HTTPS will lead to a warning about "insecure content". Stick with the code Google provides, they do so for a reason.

Answer 3

2) What would happen if the site was https:// but we still linked the javascript as http://www.google-analytics.com/ga.js

This would prevent nearly all modern browsers (eg Chrome ) to load the JS file and show a little warning to the user that there is "Insecure content".

The reason behind this is, that loading the JS file would allow MITM attacks without a SSL certificate warning.

Answer 4

2.: Then your SSL-certificate doesn't work correctly. There is non-ssl (https) script included to your SSL-site. Is that what you mean?