Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote code inclusion (mixpanel-recorder.min.js) #428

Open
revmischa opened this issue May 30, 2024 · 20 comments
Open

Remote code inclusion (mixpanel-recorder.min.js) #428

revmischa opened this issue May 30, 2024 · 20 comments

Comments

@revmischa
Copy link

I have been using mixpanel-browser in my chrome extension for some time, it's included in content scripts which are injected into pages along with our UI and features and we use mixpanel to track their usage.

After upgrading to a recent mixpanel-browser version, we're unable to get our extension approved now because of remote code inclusion of mixpanel-recorder.min.js:

Screenshot 2024-05-30 at 8 18 53 AM

I believe caused by this behavior:

scriptEl.src = this.get_config('recorder_src');

Added in 4b2d173

I'm not sure what can be done about this other than rolling back to an older version of mixpanel-browser. I don't need session recording just event tracking.
Ideally there would be a version of this library that does not include remote code execution.

@tdumitrescu
Copy link
Member

Thanks for bringing this up. I take it you're installing via npm and bundling the sdk with the rest of your code (e.g. import mixpanel from 'mixpanel-browser')? Since the main "HTML script snippet"-based loader has always done this style of async script-loading from our CDN. We're looking into providing bundle-ready builds that don't have this behavior.

@revmischa
Copy link
Author

Yeah I'm using webpack to build my extension. For now I am trying to work around it with:

 // remove remote code loading
      {
        test: /mixpanel-browser.*\.js$/,
        use: [
          {
            loader: resolve(webpackExtSrcDir, "webpack", "mixpanelNoop-loader.js"),
          },
        ],
      },
// this replaces the remote code loading in mixpanel so our extension doesn't anger chrome webstore reviewers
export default function (source) {
  const noopFunction = "MixpanelLib.prototype.start_session_recording = function() {};";
  return source.replace(
    /MixpanelLib\.prototype\.start_session_recording = addOptOutCheckMixpanelLib\(function\s*\(\)\s*\{([\s\S]*?)\}\);/,
    noopFunction
  );
}

But it's not ideal

@a-bormark
Copy link

a-bormark commented Jul 1, 2024

Same issue. Is there any options to opt-out from adding recorder. It's in beta anyways and is available on Enterprise plan only.

Your suggestions?

@vittoriohalfon
Copy link

Same issue here - please do let me know if it is possible to opt out from recorder. Chrome Web Store is not happy with RHC...

@vittoriohalfon
Copy link

Yeah I'm using webpack to build my extension. For now I am trying to work around it with:

 // remove remote code loading
      {
        test: /mixpanel-browser.*\.js$/,
        use: [
          {
            loader: resolve(webpackExtSrcDir, "webpack", "mixpanelNoop-loader.js"),
          },
        ],
      },
// this replaces the remote code loading in mixpanel so our extension doesn't anger chrome webstore reviewers
export default function (source) {
  const noopFunction = "MixpanelLib.prototype.start_session_recording = function() {};";
  return source.replace(
    /MixpanelLib\.prototype\.start_session_recording = addOptOutCheckMixpanelLib\(function\s*\(\)\s*\{([\s\S]*?)\}\);/,
    noopFunction
  );
}

But it's not ideal

Did this fix let you bypass chrome web store review? I've already been rejected due to mixpanel once. Wouldn't want to get rejected again :)

@revmischa
Copy link
Author

Yeah I'm using webpack to build my extension. For now I am trying to work around it with:

 // remove remote code loading
      {
        test: /mixpanel-browser.*\.js$/,
        use: [
          {
            loader: resolve(webpackExtSrcDir, "webpack", "mixpanelNoop-loader.js"),
          },
        ],
      },
// this replaces the remote code loading in mixpanel so our extension doesn't anger chrome webstore reviewers
export default function (source) {
  const noopFunction = "MixpanelLib.prototype.start_session_recording = function() {};";
  return source.replace(
    /MixpanelLib\.prototype\.start_session_recording = addOptOutCheckMixpanelLib\(function\s*\(\)\s*\{([\s\S]*?)\}\);/,
    noopFunction
  );
}

But it's not ideal

Did this fix let you bypass chrome web store review? I've already been rejected due to mixpanel once. Wouldn't want to get rejected again :)

It removed the remote code loading and they seemed happy with it

@vittoriohalfon
Copy link

vittoriohalfon commented Jul 9, 2024

This script wasn't fully working out for me for some reason.
I reverted back to mixpanel version 2.49.0 (version before recording feature was released).

Hope Chrome Web reviewers will be happy with it.

@rahulbansal16
Copy link

Same issue with me. I am also reverting to 2.49. Thanks.
written via DictationDaddy.

@NickMihaiu91
Copy link

I've had the same issue. Google views the remote code loading of mixpanel-recorder.min.js as a violation and I can't get my extension approved.
This is a blocking issue, please look into it.

@rahulbansal16 @vittoriohalfon did you get approved using version 2.49? Thank you

@vittoriohalfon
Copy link

vittoriohalfon commented Jul 22, 2024

Yes, extension got approved when reverting to MixPanel Version 2.49.0
@NickMihaiu91

@ElinaBahirova
Copy link

My extension got rejected even after reverting to MixPanel Version 2.49.0
Violating content: Code snippet: assets/index.js: "https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js"

@tdumitrescu
Copy link
Member

@ElinaBahirova there are no references to mixpanel-recorder.min.js in v2.49.0, none of that code had landed yet: https://github.com/mixpanel/mixpanel-js/tree/v2.49.0

@vittoriohalfon
Copy link

@ElinaBahirova are you sure you re-built the chrome extension after reverting to mixpanel v2.49.0?

@tdumitrescu
Copy link
Member

Anyway though, the latest release 2.54.0 now provides several build options for including/unincluding the session-recording bundle. From the release notes:

The SDK is now provided in several new builds with different options around included modules and asynchronous loading:

  1. Core mixpanel build with bundled mixpanel-recorder session-recording module (default):
import mixpanel from 'mixpanel-browser';
  1. Core mixpanel build that optionally loads mixpanel-recorder asynchronously via script tag (previous default):
import mixpanel from 'mixpanel-browser/src/loaders/loader-module-with-async-recorder';
  1. Core mixpanel build only (no session recording available):
import mixpanel from 'mixpanel-browser/src/loaders/loader-module-core';

Of the above options, 1 and 3 should both take care of the "remotely hosted code" violation. (In 1, the session-recording module is included in the main bundle rather than loaded asynchronously; in 3, it is not included at all and cannot be loaded)

You can also import the pre-built bundles directly if you don't want to run mixpanel-browser source through your bundler:

import mixpanel from 'mixpanel-browser/dist/mixpanel-core.cjs';

@tamzinselvi
Copy link

tamzinselvi commented Sep 17, 2024

I followed the above comment to a tee, and still have the chrome store reporting the exact same issue. Taking a look at the mixpanel-core.cjs file, it still has references to the session recording script and seemingly the capability to load it, which seems to be failing Google Chrome Dev Store's static analysis on our built project. Can all references to session recording be pulled from the core?

v2.55.0 FYI

@tdumitrescu
Copy link
Member

Thanks for the report. There's no script-loading code in https://github.com/mixpanel/mixpanel-js/blob/v2.55.0/dist/mixpanel-core.cjs.js (except for the JSONP tracking code which has been there forever). Are you getting the exact same violation report as in the first comment on this issue?

@tamzinselvi
Copy link

tamzinselvi commented Sep 17, 2024

Yes - but as you can see on this line: https://github.com/mixpanel/mixpanel-js/blob/v2.55.0/dist/mixpanel-core.cjs.js#L4470 - the capability is still included, and this is causing the static analysis that Chrome Store's team is doing on submission to automatically reject our submission with the following note:

Violation:
Including remotely hosted code in a Manifest V3 item.
Violating Content:
Code snippet: assets/index.js: https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js

@shershen08
Copy link

2 days ago got the Chrome store rejection again with 2.49.0 version of the plugin ...

@surtic86
Copy link

With the newest Version 2.56.0 i get again the Blue Argon Warning from Chrome Webstore.

Code-Snippet: content.js: https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js

And im already using the

import mixpanel from 'mixpanel-browser/src/loaders/loader-module-core'; // new without recorder stuff

@luongtattrung
Copy link

I had the same issue and found this line in the after-build code

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests