It captures hits, countries, browsers, referers and will show you a page overlay indicating where most of you visitors click to next. A web developer’s dream “Look what I did, boss…”.
However, here’s the problem…
It’s a script and they want me to put it on my site. That’s fine for this blog, but I simply cannot use it on any commercial site that requires a user to login. Now, I’m not saying that GA would ever do anything untoward with that script but, technically, they could; and that’s enough. If it felt so inclined, that script could access any DOM element on that page and even redirect POSTs to another endpoint. Login details, passwords and, in my case, financial data could all be collected and associated with the clients’ IP address.
A crying shame – guess I’ll just have to write my own server-side solution.