Tuesday, June 9, 2009

Hackjob in production

I just noticed this snippet from the Yahoo SEM code:

<SCRIPT language="JavaScript" type="text/javascript">
<!-- Yahoo! Inc.
window.ysm_customData = new Object();
window.ysm_customData.conversion = "transId=,currency=,amount=";
var ysm_accountid  = "ABCDEF123456";
document.write("<SCR" + "IPT language='JavaScript' type='text/javascript' " 
+ "SRC=//" + "srv1.wa.marketingsolutions.yahoo.com" + "/script/ScriptServlet" + "?aid=" + ysm_accountid 
+ "></SCR" + "IPT>");
// -->

This code is given to webmasters for both secure and non-secure URLs. Compare it to the Google analytics loading snippet:

<script type="text/javascript">
 var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
 document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

Yes, Yahoo provides code that requests a URL with no protocol (src=//srv1.wa.marketingsolutions.yahoo.com). Talk about funky code.

No comments:

Post a Comment