Re: Google Tag Manager and Munchkin Code question

SanfordWhiteman · ‎02-27-2015

P.S. The same approach is used by embedded Forms 2.0. They can go on any website. And this "decontrol" is, in the end, a good thing. Because based on what I know about Marketo users, they are focused on Marketing and Marketing Ops, but not Web Ops. I know it may seem like a stretch to call this an IT matter, but in my experience Mktg folks expect things like domain aliases to "just work": they buy the domain, IT sets up the host header on the webserver, and away they go. Having to maintain a domain list in Marketo as well could be seen as cumbersome, regardless of the security benefits. Of course this same laziness applies to IT folks (I know this, being one) but we don't really have an excuse, while a Mktg person can legitimately say, "That's too much and not my job."

SanfordWhiteman · ‎02-27-2015

So even if someone steals your GTM code, with the Marketo Munchkin code buried in it

That''s not what happens. They scrape your website's HTML. That has your Munchkin code not "buried" in it but right there in the markup, injected by GTM before your enemies scrape the site.

GTM firing rules determine what tags will appear in the final markup of your page. The act of stealing your page occurs after GTM fires.

Mikes_Jones · ‎02-27-2015

It's upsetting that this isn't at the very least an option for those of us who do care about the security and accuracy of our data.

It's like selling someone a new car with a univesal lock to it. Yea, it's cool when you lose your keys, you can just pop in some random keys and go to work - but at the same time, any random person can pop their keys in and ride away with your car as well.

Again, would be nice to hear from someone at Marketo, surprised more people haven't brought this up before.

Mikes_Jones · ‎02-27-2015

Sandford, I'm not sure if you've ever used GTM before, but the code is infact buried within a universal GTM tag. So in the source of your website, you'll just see a tag that looks something like this:


<noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-EXAMPLE"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-EXAMPLE');</script>


Within the above code will contain your Munchkin Code, but it's not actually visible on the site's HTML markup, therefore it keeps your code secure and out of harms way.

Anonymous · ‎02-27-2015

Rigourous = detailed I guess 🙂

I feel like we told them the domains we had in the beginning. I thought it was just for this purpose. I could be wrong, this is my tenth instance or so I've touched.

I feel like I lied to so many people about saying Munchkin is secure.. They should know as they should be logging this in their backend no? I mean its like Malik is saying, lets just leave the front door open and see who walks in there.

SanfordWhiteman · ‎02-27-2015

The whole concept of someone being able to swipe your Munchkin code, which is one of the most valuable aspects of Marketo, on ACCIDENT at that, is ridiculous. It completely degrades the quality of your analytics, which in my instance, is a pivotal part of my daily operation.

It's a pivotal part of everybody's operation! I understand that you're upset, but I don't think this completely degrades the quality of your analytics, provided you apply appropriate filters when reporting. Then again, I'm not saying Marketo shouldn't add the ability to pre-filter, I'm just saying they shouldn't go back in time and force everyone to enter a filter. Google Analytics, for example, allows you to apply a filter, but by default there is no filter -- thus just as vulnerable as Marketo.

SanfordWhiteman · ‎02-27-2015

Within the above code will contain your Munchkin Code, but it's not actually visible on the site's HTML markup, therefore it keeps your code secure and out of harms way.

This is not true, but I'm not going to belabor the point with you if you won't test.

SanfordWhiteman · ‎02-27-2015

I feel like we told them the domains we had in the beginning. I thought it was just for this purpose. I could be wrong, this is my tenth instance or so I've touched.

You probably are thinking of branding domains, landing page domains, or setting up SPF/DKIM for sending domains. Those are all different issues.

I feel like I lied to so many people about saying Munchkin is secure.. They should know as they should be logging this in their backend no? I mean its like Malik is saying, lets just leave the front door open and see who walks in there.

I don't understand the concept of a public analytics tracking code being "secure." I'm an IT guy and that's not an expression I would use. As noted above, GA is just as, shall we say, insecure by default... what you should be requesting is the option to filter, not that everything be prefiltered. It should be obvious by now that a marketing company managing potentially thousands of client domains has not entered those domains into the Marketo interface, since there is no place to put them.

Mikes_Jones · ‎02-27-2015

Sanford, can you please elloborate on the GTM code and whether it's in teh markup or not?

Here is our website: www.r2integrated.com

When you view the page source, you will see a GTM tag. Within that tag is a Google Analytics tag, but you won't see that in the markup of the page source ... unless it's there, and I just don't see it. Let me know if you can find it 🙂

SanfordWhiteman · ‎02-27-2015

Add Munchkin via GTM. That is what you should be testing. (GTM has a special plugin for GA, which means that is not an appropriate testbed.)

Technical rule: any elements injected into your markup can be scraped. It's just a fact of browser life.