Google Tag Manager and Munchkin Code question

Nothing can stop someone from redeploying your code.  As I think I responded when you brought this up a few weeks ago, you must be allowed to redeploy your code on any number of domains without preregistering the domain with Marketo. 

Using GTM is just needless, I would say useless, complexity. Your code is still publicly known once it gets inserted into the page.  Maybe the fact that it's not initially in the markup would stop someone from accidentally scraping it, but not from deliberately scraping it.*  If you're worried about is accidental scrapers, you might as well just wrap the Munchkin.init() call, like this:

if ( ["www.example.com","www.domainalias.com"].indexOf(document.location.host) !== -1 ) {
    Munchkin.init()...
}

Also, the GTM JS is going to load very, very fast, but it can't possibly be faster than loading Munchkin on its own, since you're by definition loading another script over the network first.  This is a minor consideration, though. The main consideration is that it doesn't add security.

* In fact a basic Save As, as long as the user has JS enabled, will include GTM-injected HTML.  Like I said, not a security measure.

Sandford,

Thanks for the breakdown!

I guess my only other question is - why can't Marketo prevent this? I can't accept the answer that it's not possible, I haven't experienced people having the same issue with their Google Analytic codes getting stolen. Is Marketo just not taking all the measures to make sure this is prevented? The Munchkin is a huge component of Marketo, and to leave it vulnerable is dissapointing.

I'd be interested in this as well.  Thanks for surfacing this issue, Malik.

A way Marketo could (partially) prevent this would be to have an advanced mode where you would have to list every single domain from which you want to accept analytics calls.  This would have to include custom VisitWebPage calls as well. Would also have to be an opt-in feature for Marketo's customers or else it would break backward compatibility -- that is, people are loading legitimate Munchkin code on all their web properties (or clients' properties) , and that would all break if it were suddenly mandatory to list all the possible domains.

But that measure could only prevent accidental reuse of the code.  If I maliciously wanted to clutter your analytics, even if you said you only accept analytics calls from http://www.malikz.com I could just send thousands of fake requests to Munchkin from that domain, and I wouldn't ever need to hit your real website.

Bottom line, though, is that the people who stole @Malik Z's code show no evidence of understanding what they were doing.  Unless the goal was to muddle your analytics, there was no benefit to them. In reality, they hurt themselves by adding additional JS overhead on every page!  

I feel that, had you wrapped your Munchkin.init() in the domain check as I showed above, they would've either left that code intact (which means they wouldn't have beeen calling Munchkin)  or they would have deleted the code entirely (which also means no Munchkin).  To deliberately change the domain list or exclude the check would be pretty bizarre (not impossible, I concede).

@Michael R There's isn't any such rigorous setup procedure. I can load Munchkin on any of our domain aliases.  And rightfully so because we use all of those in advertising.

Certainly I can't imagine what contract is being breached as Marketo has no way of knowing that isn't just another site you operate.

Also Sanford, I just re-read your comment, and to say that GTM is useless is confusing, and to suggest that it can be just as easily stolen doesn't really make sense since the whole point of GTM is the "firing" rule. So even if someone steals your GTM code, with the Marketo Munchkin code buried in it, and deploys it on their website, the actual Munchkin Code would not work becuase the "firing" rule would be set up for only your specific domain. So in this case, I feel as though using GTM could actually prevent this from happening.

Wondering if anyone from Marketo has any input on this

EDIT: This is assuming the code is stolen on accident. Of course, if someone really wants to mess with your website, I'm sure they can find a way, fortunately we aren't too worried about that.

Sandford ... it doesn't really matter if the people who stole the code didn't know what they were doing, and it REALLY doesn't matter if they ended up hurting themselves. What does matter is that in the process they hurt MY analytics, causing MY reporting to be super inaccurate and having me to dig through hundreds of URLs so I could add them to a filtering list, though everyday a couple of new URLs pop up in there and it just ends up being a long cat and mouse game.

The whole concept of someone being able to swipe your Munchkin code, which is one of the most valuable aspects of Marketo, on ACCIDENT at that, is ridiculous. It completely degrades the quality of your analytics, which in my instance, is a pivotal part of my daily operation.