Ad block shouldn't break your checkout(ilakovac.com) |
Ad block shouldn't break your checkout(ilakovac.com) |
https://github.com/gorhill/uBlock/commit/8cd2a1d263a96421487...
I'd like to find a solution which would restore the ability to use sites. I'm thinking about website cleanup offering (startup anyone?), I wonder if something similar already exists.
The site doesn't really use any JS other then some privacy friendly analytics.
The article was collapsing when I had uBlock on FFx, I only saw your bottom (C)opyright.
Developers failing to test sites with adblockers could literally result in people dying.
Early in my career, I worked on a site that displayed images, each of which was given a GUID and loaded from a server in thumbnail form. Fortunately, one of our developers used an ad blocker, because she realized two (of a couple hundered) thumbnails didn't show up. Turns out her ad blocker was running a heuristic based on both dimensions of the thumbnail and the URL the thumbnail was served from, and if it saw the sequence 'ad' in the URL (plus some additional pieces of the URL we never identified; attempts to reproduce it with a simpler URL didn't pan out), the browser extension would block the image from loading and our users got a broken image.
The best solution we could come up with was tweak the server logic to substitude 'a' with 'g' when vending the URLs, and then reverse the substitution when fetching them. Huge pain in the ass on our end, but necessary to ensure our customers' user experience didn't break from their own ad blockers.
"Ad block shouldn't break your checkout..." but it's third-party code you don't own or control splicing behavior atop the code you do own and control, so of course it breaks things occasionally. It's like the old era of the MacOS Desk Accessory API. It is provably mathematically impossible for the developer to guarantee successful execution of a Turing-complete program if the program can be arbitrarily modified by third-party injection, so the odds that browser extension in general (and ad blockers in particular, as they are designed to modify the intended site behavior) don't break any website are vanishingly close to zero.
I'm tired of being treated as little more than a data cow, always ready for milking.
Just. Stop.
To the person who ignores people who complain because their 'non-standard' browsers fail on their site, why do you have a site if you don't care about your users accessing it? Ego much?
Yeah, but who are you? Are you an impulse buyer? Returning? Did you spend an hour on the product page? Did you jump between 20 different product pages?
You can't deny that this kind of analytics can be very useful for user conversion and website design. And the site in question tries to do the proper thing, checking if GA works before trying to do stuff with it, so it wouldn't just fail if GA was blocked by the user.
Now, since an adblocker doesn't change anything anywhere except on the end user's computer, the analog should be something on the customer's person, or some part of their behavior. So let's say the customer tries to avoid identification by wearing a hat, and they purposely grab every item and put it back on the shelf to mess with the data about their shopping habits.
Do you think it makes sense for the cashier to refuse to checkout anyone who is wearing a hat? Or if they spotted someone who picked a few things up without putting them in their cart?
Because I sure don't.
I am none of your business.
Excuse my ignorance on web development, but why? How?
And they'd be absolutely blind without GA. There's no magic window into customer behavior. If you were actually in a physical store then they could look at you through the cameras. This way they can know if there are basic problems with the store.
With a website, they would have absolutely zero way to know what your experience of shopping there is like without a tool like GA. The only data they would have at all is sales numbers. The experience of shopping online would be immeasurably worse without it.
Because of the pandemic, I go to stores wearing a mask. That might prevent me being identified by the cameras (IDK), but the cashiers still sell to me.
The standard web analytics tools of the late 90s basically parsed the http log. Even those will give you info equivalent to "looking through cameras".
You might want GA, you might even need it, but you're absolutely not blind without it unless you choose to be so.
Good.
> If you were actually in a physical store then they could look at you through the cameras.
That's a gross idea to have.
"How would you even know that?" I hear you ask. Well, that's an interesting story....
I found it pretty funny that I had to understand web development and troubleshoot the problem just to order pizza...
Perhaps some companies have the resources to check if their websites run with different ad blockers, but expecting websites to work when plugins are replacing and breaking running code is a big ask.
Don’t all developers have ad blockers (clearly not)? I understand managers not testing for this, but for my own work it’d never load for me as a Dev, even.
And that is precisely the problem. Once website operators get it through their thick heads that the browser is user property, not theirs, things might start to improve.
The existence of Firefox as a counterweight to Chrome means that the web standards are not going to win. Ads will be blocked. Cope and deal.
The article's title is correct: ad block shouldn't break checkout. Injecting a bogus value into a global breaks checkout, so ad block shouldn't do that.
I never even thought about or realized that adblock may be why I have had issues with many different online retailers. I just assume "something is fukt with the site, or my browser, Vivaldi, is at fault" and then just buy the product elsewhere or buy a different/similar product instead.
(I did not bother trying to explain this to a human on the phone, because of the aforementioned alternate solution. That just sounds a supersized order of pain.)
As a general principle, it should be impossible for a client to "half-configure" an account; the Internet isn't designed to be reliable enough to support guarantees that all the relevant messages get sent and received.
Whenever someone reports a bug to me, I ask them if they use any site-modifying extensions. If they do, I ignore them completely, even if they wrote a long, detailed report.
Web authors make websites for standard web browsers. I do not consider a browser with site-modifying extensions to be a standard web browser, and it is not my job to test my website with all 1,000,000 extensions that exist on earth.
It all started six years ago, when my website contained <div id="ad" ... and somebody reported, that their adblock removes that element, but it is not the ad. What kind of a mental process should a brain perform to conclude, that it is a bug in a website, and not in their extension, which is supposed to remove ads.
27% of American internet users use adblock in some form. Better go check right now that you're not losing 27% of sales to it.
Running non-compliant extensions is your right, but the results don't need to be supported. I've run into this situation a number of times, although not with adblock. My advice has been to disable the extensions, or use a different browser without them.
You're leaving out the option of "not using the website."
Let's face it, nothing for sale on TeeSpring is essential. Just thank them for putting a roadblock on your silly impulse buy.
Compliant to who/what exactly ? Extensions are executed in a user agent, ie a software acting on behalf of a user based on the settings they prefer. If anything it's the website that's non-compliant with the user's choice.
It's your job to fix your site so it doesn't break because of ad-block. If you're determined on refusing service for people who don't want to be tracked by breaking checkout, that's fine as well. But then you don't get to complain.
Side note: my pet peeve these days is emojis. People need to stop it with shoving emojis everywhere, just like TeeSpring needs to stop shoving evil analytics everywhere. Not everything needs to have 4x emotional emphasis ffs.
Since they're utility bills, credit cards, insurance portals, etc, I don't really have a choice not to use their services.
FF is my main browser, so for anything behaving in a finicky way, I use Chrome, which doesn't have any extensions or Google IDs attached to it.
GA has an enormous set of capabilities for measuring user activity and e-commerce, especially because Tag Manager lets you assign trackable events anywhere you need to on the site.
It may be interesting to see if that site works if 'analytics.js' and 'gtm.js' are greenlit. Those are the main GA scripts. Everything else would likely be ad-related.
I block it with uBlock Origin and many standard ecommerce sites just don't function in a most basic way.
I basically have to switch to another browser to actually checkout on anything because there's so many things I'd need to disable to get them to work.
"I can't see the images on the 'Adverts' page."
"Do you have an ad-blocker installed?"
"Yes."
"What do you think an ad-blocker does..."
Searching for the dummy function uBlock Origin uses for window.ga https://github.com/gorhill/uBlock/blob/master/src/web_access...
This reveals that this has been in uBlock Origin since 2019.
If people are ready to give you money, don't try to stop them!
Use uMatrix on a site for more than a week and annoyances will show themselves. Twitch is the biggest site I've found that loves ever changing 3rd party urls.
If your checkout system connects over anything but port 443, you done fucked up.
https://torguard.net/blog/only-one-out-of-five-top-us-banks-...
https://community.spiceworks.com/topic/2238885-wells-fargo-w...
e.g.
outage, 2017
https://www.theguardian.com/business/2017/may/31/ba-it-shutd...
https://www.cloudpro.co.uk/it-infrastructure/7800/british-ai...
outage, 2019
https://www.itpro.co.uk/disaster-recovery-dr/34162/british-a...
Supply chain hack, 2018:
> Yes, can I take your other?
> No, you don't get it, I'd like to file a bug report, but your website clearly has no feature to create issues so, when the field city has the value...
> Sir, I cannot fix the website. If you do not wish to make an order please hang up.
> Uhoh ok, sure, I'd like an anchovies pizza but instead of anchovies I'd like you to make sure that when the field city is set to Boston...
> Sir, I really cannot fix the website
> Couldn't you just make a note and leave it in the front door? So that if other customers have the same problem they can upvote the most common issues and then you can prioritize fixes and get a reasonable budget for each one?
> I obviously can't do that, do you want your anch...
> Of course you can't! That would be reinventing the wheel! Let me point you to the github...
thats pretty funny to me now
There's a big difference between "resilient against a missing dependency" and "being resilient in the face of getting literally any object instead of the dependency you expected to get."
I think TeeSpring has the right idea - they're checking that GA is loaded, if it is, then do stuff with it, if it's not, then don't.
I don't understand how a website can and should be expected to adapt to a browser plugin changing the APIs they depend on out from underneath them.
I think they could go one step further and may be try...catch (sandbox) all access to third-party services that aren't critical.
User-agents, which browsers are, expectedly do put a lot of control in the hands of the end-users. Such breakages should be factored in and worked around (provided there are enough engineering resources to throw at the problem, of course).
Put it this way, forget adblock, if the GA call fails, it should still check out. (Assuming the problem doesn't affect other stuff too, like internet down or whatever.)
Given the hyper-malleable nature of JavaScript in an HTML page in a user-agent owned by the end user, at some point the developer has to draw a line in the sand and say "This category of failure modes is not checked," because it's mathematically impossible to check all possible failure modes in that configuration. "An extension is intentionally faking an object in the `window` context" just happens to be on the other side of the "don't check" line for this application, because it's extremely unlikely (and, one could argue, user-self-inflicted).
Checking the top 3 adblockers that command the majority of market share would be a much smaller ask - maybe smaller than a check-mobile-browser sized ask.
So the reason why the GA object is replaced, rather than removed, is because removing it would break other sites. Tee Spring is trying to do the right thing, but fail because other sites don’t do the same.
Ignore it at your peril. If you want to make sales, you need to test the ways your prospective customers want to buy.
A shopping site breaking checkout when there's a google analytics problem is madness, IMO. uBlock Origin is hugely popular. With 10M (claimed) active users, you should probably be testing against uBlock Origin for your e-commerce site.
As an aside, buying from TeeSpring was a little... interesting. You add the items to your cart and pay like at any other site. Instead of being charged for the total, I got invoiced separately for each (including separate confirmation emails), along with 5 or 6 duplicate shipping notices for one of the items. My credit card was also charged separately for each item. I get that there are probably reasons for this purchase flow, but it's not implemented well.
I got my stuff and all is good, but the whole buying experience was janky.
The author is running an extension that specifically injects code to make window.ga into something unexpected, and then complaining about it.
as mention other places though, missing window.ga at all on other sites can cause worse problems. I'm not sure mimicing the whole api is useful, but maybe not adding the stub on teespring will be.
On teesprings side, it's not their fault, but adding '&& window.ga.getAll' will fix the issue
What do you consider a standard web browser?
If someone ships a browser with Tracking Protection (like Firefox), or with NoScript preinstalled (like Tor Browser), or with another adblocker preinstalled, is that a standard browser because the user didn't modify it?
Or is it based on the number of user. Is your standard browser really just Google Chrome, because Google has a lot of marketshare?
I ask, because I looked up the statistics, and they say between 25-45% of users have an ad blocker, depending on the country.
It seems pretty unfair to ignore your users completely, even if they wrote a long, detailed report. No?
It's like emailing an email provider asking why your desktop email client is displaying emails weird.
Note to self, don't use Photopea due to poor customer support.
You would think the customer support would at least tell them to remove/disable the add-ons instead of ignoring them.
Anyway, ad blockers are standard now and they usually share the blocking lists. Supporting them is just a matter of installing uBlock Origin in the browser you use to develop.
Breaking this based on an ad blocker just loses you money.
That's false. Similar thinking to how the MPAA said that downloading a MP3 is a lost sale. There was never a sale to begin with, the user is not interested in a purchase regardless of whether the pirated content is available.
Here, the user will just go through the checkout again in a browser without ab-block or disable it. Why would they suddenly not need a power washer because they're running ad-block?
In fact, if anything, it'll train the user to disable ad-block when they're ready to checkout--from _ANY_ site since most of them are broken under ad-block.
For website owners who are losing revenue, the mental process is simple: "If I change this webpage I will get more sales."
How difficult would it be for you to change the div name to not coincide with the characters most closely involved with one of the most contentious technologies around? And never have to deal with that potential conflict again?
> What kind of a mental process should a brain perform to conclude, that it is a bug in a website, and not in their extension, which is supposed to remove ads.
Well, if the extension looks for obvious ad-related layout, and your site just happened to use that name, then yes, you have a bug related to common usage patterns.
Even if you used the name before anything ad related, when the world changes around you, you can choose to adapt, or you can get offended and obstinate and fall further and further into a niche of your own creation.
A "popular" issue is, that people use an extension, which renames files saved by Photopea to .TXT. It is reported several times a week and every time, I tell people to disable an extension. They often argue, that it can not be caused by an extension, or even lie, that they disabled it and it did not help.
https://github.com/photopea/photopea/issues/3246 https://github.com/photopea/photopea/issues/3227 https://github.com/photopea/photopea/issues/3194 https://github.com/photopea/photopea/issues/3187 https://github.com/photopea/photopea/issues/3116 https://github.com/photopea/photopea/issues/3110 https://github.com/photopea/photopea/issues/3049 and so on.
https://github.com/photopea/photopea/issues/2294#issuecommen...
"Google docs offline" is an official extension from google which you get prompted to install when you go to Google Drive in Chrome without the extension installed. I don't think that caused anything and it looks like there was an actual bug you had:
> There really was a bug in Photopea. If you opened a file, whose name started with a dot . , like .myfile.psd, It was always exported as .TXT_ > I have fixed this bug. You can open files with any names now, and they should be saved under the right extension.
https://github.com/photopea/photopea/issues/3116#issuecommen...
It did seem like the issue was on your end and not the extensions though.
On the other hand you know how ad blocking works and if it’s not too much effort just change the class name?
If your website behaves like malware is it really the fault of antimalware software that blocks it? If there was a better way to detect malware, sure, but heuristics is the best we’ve got and they do sometimes break - if it’s not too much effort to make your website not behave like malware why not do it?
I fully agree with you about other, more intrusive site-modifying extensions, but ad-blockers are fairly lightweight and only target behavior that looks malicious, and it’s fairly easy not to trigger them.
It's your choice to use things that don't conform, such as IE11, but I wouldn't assume it's the server's problem.
If you're selling stuff, and you notice a lot of people going partway through your checkout process and leaving, it might be a sign that something in the process isn't user friendly and improvement could benefit you. Especially if the behavior has changed recently.
You might see that people come in from a marketting link where you thought they'd like to buy A, but they rarely buy A, and if they do buy something, they buy B; maybe it would make sense to use that link to go to the sales page for B instead, etc.
You could even notice that people who don't run your javascript analytics still add things to the cart, and start the checkout, but never finish, and take that as something to investigate.
This isn't a defense of Google Analytics in specific, or javascript analytics in general, this could be done serverside with just a cookie to corellate across multiple visits, or a session cookie within the same visit, or instrumenting all the links and correlating that way. Javascript could be used to remove tracking tags for copying links, but have it when clicked; great if it works, not the end of the world if it doesn't.
Certainly it's not a bug (on your part) that the user agent rendered the page as the user directed, but that isn't the actual complaint. The issue is that the page is over-complicated and fragile, proving unfit for purpose when faced with the slightest deviation from the default behavior of the top two or three most popular web browsers.
"If GA is unreachable then window.ga wouldn't be defined."
The legacy code you insert for GA does: var ga = document.createElement('script'); first, then loads GA. Wouldn't that have the same issue if GA is unreachable?
OP saying that "I am not a data cow" is just missing the point. GA is logging when you visit the website, some interactions like clicking a link, and generally not much more than that. It is not indexing your hard drive or downloading your photos.
There is also more than just unauthorized purchased. There is also card testers that test to see if the card is still valid.
So this means that users who expose the site to fraud must allow the anti-fraud libraries to track them, or switch to a bank that offers 3D-Secure so that liability is shifted to the bank and they no longer need to be tracked. Seems like a win-win situation.
> There is also card testers that test to see if the card is still valid.
Same scenario applies? If it's protected by 3D-Secure, who cares? The bank will end up paying the cost of it, not the merchant. If anything, this is a problem I'd love to have, as it means if I can identify those reliably I can keep pocketing money without even having to send out any actual goods.
Maybe he's just so sick of hearing about errors or bugs from thousands of users, he's sabotaging his own product in hopes it will just die and he can move on.
Everything Google Analytics does is expendable, so the block of code that deals with it should be wrapped in try/catch.
> There's a big difference between "resilient against a missing dependency" and "being resilient in the face of getting literally any object instead of the dependency you expected to get."
If Google pushes a breaking change to the Google Analytics API tomorrow, that shouldn't break checkout either.
For third party dependencies that might not get loaded for whatever reason? Yes, sure. There are better ways to do it, but that's the idea.
I've learned to just call orders in these days.
Somehow (well, we know the reasons) many websites and platforms require you to have a full inner model of its workings if you want to get things done. If you call, more often then not the person calling you does that work for you.
The whole reason I call is E.G. Round Table Pizza had a perfectly good "Web 1.0" website. Instead of updating some CSS rules to make it render better on mobile they seem to have outsourced to a third party and now everything performs worse and has it's own clunky hell. So instead of using a shit re-design on a website I just call on the phone.
It's not deep scanning your hard drive to try and figure out your SSN or medical history like some people think.
But people pick AWS because it offers a lot more than just a storage bucket. Same with Google Analytics. It offers a ton of ecommerce analytics including custom tags that can be set by the shop owner. TeeSpring is probably not a full-service Ecomm platform like Magento. It's likely that they are piggybacking on GA's built in Ecomm tracking and reporting capabilities, instead of reinventing the wheel by doing it themselves.
FYI, Ublock Origin also blocks links to "sponsored results" shown on Amazon search.
https://www.vouchercloud.com/resources/consumer-psychology-t...
There's absolutely nothing wrong with this. The blocker does it because just deleting the object would let obnoxious websites to detect its presence and punish users for it.
The better question is why their checkout completely breaks because of this. Their reliance on Google spyware is 100% on them and they are losing sales because of it.
Analytics and ads are annoying, I get it. However if you use an automated script to clear them out, be aware that some things might brake.
If Ublock Origin devs think they need to replace GA with a dummy to stop tracking they should've put a copy of the original interface with empty functions into it so the flow doesn't throw exceptions when the app tries to use it thinking everything's fine. Those scripts are publicly available and aren't a secret.
They shouldn't require tracking to succeed in order for me to buy the product. If they want tracking, sure. But be resistant to it erroring out. Don't let errors in 3rd party tools prevent your user from getting their core goals completed.
The same goes for client apps. Don't crash the app if it fails to log to a file. Don't crash the app if it can't sync your cache. Etc, etc. Don't let these unnecessary conveniences get in the users way.
When two independently-owned systems on the web break each other, "who needs to fix their stuff" is a question more of social networks and business politics than technology. TeeSpring's "fix" could be to pop a banner that says "WARNING: uBlock Origin breaks this site and we can't test for that."
That'd be great. Then I, as a user of uBlock Origin, can nope-out of the site before wasting too much of my time and the site's resources.
And there are sites that will throw up a banner that says 'Adblockers might break this, if you have problems disable your Adblocker and try again' which is pretty effective. Funny enough, in my experience, sites with that banner tend to work with uBO enabled (probably because they're testing it).
Tracking should rely on the tracking service, not the checkout process
If i run an e-commerce site, and see the vast majority of my users, but the minority of those that buy stuff, are on mobile and from India, maybe i need to optimise my site for mobile and lower-speed connections? Maybe something is wrong with my payment for specific currencies?
If i run a blog, ans the majority of my viewers come from France, maybe it's time i start writing localised content in French?
You get the gist.
Also, look at both of your examples. They’re bad. They’re both best replied to with that diagram of holes on a WW2 airplane.
Who I am is not.
You don't need to know if I have kids, have a disease, my age, my race, my gender. You don't need to know anything. Sure that information would help you make a better experience for me, I get that. But that's up to me. If I want a better experience, allow me to provide that information in exchange for the benefits that information gains me. But peeking over my shoulder as I walk through your store so that you can overanalyze everything I do isn't okay.