Skip to content

fix: Mask cookie campaign params #2297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

fix: Mask cookie campaign params #2297

wants to merge 5 commits into from

Conversation

robbie-c
Copy link
Member

@robbie-c robbie-c commented Sep 8, 2025
edited
Loading

Problem

I noticed that the code to mask campaign params was not being applied to the params from cookies.

Changes

Mask cookie params as well.

As part of this, I had to make some web-experiments static methods no longer static, and update the test suite

Release info Sub-libraries affected

Libraries affected

  • All of them
  • posthog-js (web)
  • posthog-js-lite (web lite)
  • posthog-node
  • posthog-react-native
  • @posthog/react
  • @posthog/ai
  • @posthog/nextjs-config

Checklist

  • Tests for new code
  • Accounted for the impact of any changes across different platforms
  • Accounted for backwards compatibility of any changes (no breaking changes!)
  • Took care not to unnecessarily increase the bundle size

If releasing new changes

  • Ran pnpm changeset to generate a changeset file
  • Added the "release" label to the PR to indicate we're publishing new versions for the affected packages

@vercel Vercel
Copy link

vercel bot commented Sep 8, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
posthog-js Ready Ready Preview Sep 24, 2025 11:54am

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 8, 2025
edited
Loading

Download bundle size visualization

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 8, 2025
edited
Loading

Size Change: +536 B (+0.01%)

Total Size: 5.13 MB

Filename Size Change
packages/browser/dist/array.full.es5.js 322 kB +61 B (+0.02%)
packages/browser/dist/array.full.js 383 kB +46 B (+0.01%)
packages/browser/dist/array.full.no-external.js 401 kB +36 B (+0.01%)
packages/browser/dist/array.js 183 kB +42 B (+0.02%)
packages/browser/dist/array.no-external.js 199 kB +30 B (+0.02%)
packages/browser/dist/customizations.full.js 19.2 kB +125 B (+0.65%)
packages/browser/dist/main.js 184 kB +42 B (+0.02%)
packages/browser/dist/module.full.js 384 kB +46 B (+0.01%)
packages/browser/dist/module.full.no-external.js 401 kB +36 B (+0.01%)
packages/browser/dist/module.js 184 kB +42 B (+0.02%)
packages/browser/dist/module.no-external.js 200 kB +30 B (+0.02%)
ℹ️ View Unchanged
Filename Size Change
packages/ai/dist/anthropic/index.cjs 16.7 kB 0 B
packages/ai/dist/anthropic/index.mjs 16.5 kB 0 B
packages/ai/dist/gemini/index.cjs 17.6 kB 0 B
packages/ai/dist/gemini/index.mjs 17.5 kB 0 B
packages/ai/dist/index.cjs 120 kB 0 B
packages/ai/dist/index.mjs 119 kB 0 B
packages/ai/dist/langchain/index.cjs 39.6 kB 0 B
packages/ai/dist/langchain/index.mjs 39 kB 0 B
packages/ai/dist/openai/index.cjs 29.8 kB 0 B
packages/ai/dist/openai/index.mjs 29.5 kB 0 B
packages/ai/dist/vercel/index.cjs 21.9 kB 0 B
packages/ai/dist/vercel/index.mjs 21.9 kB 0 B
packages/browser/dist/all-external-dependencies.js 223 kB 0 B
packages/browser/dist/crisp-chat-integration.js 1.97 kB 0 B
packages/browser/dist/dead-clicks-autocapture.js 12.6 kB 0 B
packages/browser/dist/exception-autocapture.js 11.5 kB 0 B
packages/browser/dist/external-scripts-loader.js 2.81 kB 0 B
packages/browser/dist/intercom-integration.js 2.02 kB 0 B
packages/browser/dist/lazy-recorder.js 146 kB 0 B
packages/browser/dist/posthog-recorder.js 240 kB 0 B
packages/browser/dist/recorder-v2.js 113 kB 0 B
packages/browser/dist/recorder.js 113 kB 0 B
packages/browser/dist/surveys-preview.js 71.1 kB 0 B
packages/browser/dist/surveys.js 80 kB 0 B
packages/browser/dist/tracing-headers.js 1.84 kB 0 B
packages/browser/dist/web-vitals.js 10.4 kB 0 B
packages/browser/react/dist/esm/index.js 15.1 kB 0 B
packages/browser/react/dist/umd/index.js 17.8 kB 0 B
packages/core/dist/error-tracking/chunk-ids.js 2.54 kB 0 B
packages/core/dist/error-tracking/chunk-ids.mjs 1.31 kB 0 B
packages/core/dist/error-tracking/coercers/dom-exception-coercer.js 2.3 kB 0 B
packages/core/dist/error-tracking/coercers/dom-exception-coercer.mjs 993 B 0 B
packages/core/dist/error-tracking/coercers/error-coercer.js 2.02 kB 0 B
packages/core/dist/error-tracking/coercers/error-coercer.mjs 794 B 0 B
packages/core/dist/error-tracking/coercers/error-event-coercer.js 1.76 kB 0 B
packages/core/dist/error-tracking/coercers/error-event-coercer.mjs 513 B 0 B
packages/core/dist/error-tracking/coercers/event-coercer.js 1.82 kB 0 B
packages/core/dist/error-tracking/coercers/event-coercer.mjs 548 B 0 B
packages/core/dist/error-tracking/coercers/index.js 6.79 kB 0 B
packages/core/dist/error-tracking/coercers/index.mjs 326 B 0 B
packages/core/dist/error-tracking/coercers/object-coercer.js 3.46 kB 0 B
packages/core/dist/error-tracking/coercers/object-coercer.mjs 2.07 kB 0 B
packages/core/dist/error-tracking/coercers/primitive-coercer.js 1.67 kB 0 B
packages/core/dist/error-tracking/coercers/primitive-coercer.mjs 419 B 0 B
packages/core/dist/error-tracking/coercers/promise-rejection-event.js 2.25 kB 0 B
packages/core/dist/error-tracking/coercers/promise-rejection-event.mjs 904 B 0 B
packages/core/dist/error-tracking/coercers/string-coercer.js 2.01 kB 0 B
packages/core/dist/error-tracking/coercers/string-coercer.mjs 820 B 0 B
packages/core/dist/error-tracking/coercers/utils.js 2.06 kB 0 B
packages/core/dist/error-tracking/coercers/utils.mjs 716 B 0 B
packages/core/dist/error-tracking/error-properties-builder.js 5.65 kB 0 B
packages/core/dist/error-tracking/error-properties-builder.mjs 4.33 kB 0 B
packages/core/dist/error-tracking/index.js 4.11 kB 0 B
packages/core/dist/error-tracking/index.mjs 152 B 0 B
packages/core/dist/error-tracking/parsers/base.js 2.62 kB 0 B
packages/core/dist/error-tracking/parsers/base.mjs 697 B 0 B
packages/core/dist/error-tracking/parsers/chrome.js 2.7 kB 0 B
packages/core/dist/error-tracking/parsers/chrome.mjs 1.29 kB 0 B
packages/core/dist/error-tracking/parsers/gecko.js 2.45 kB 0 B
packages/core/dist/error-tracking/parsers/gecko.mjs 1.11 kB 0 B
packages/core/dist/error-tracking/parsers/index.js 4.36 kB 0 B
packages/core/dist/error-tracking/parsers/index.mjs 1.92 kB 0 B
packages/core/dist/error-tracking/parsers/node.js 3.95 kB 0 B
packages/core/dist/error-tracking/parsers/node.mjs 2.68 kB 0 B
packages/core/dist/error-tracking/parsers/opera.js 2.22 kB 0 B
packages/core/dist/error-tracking/parsers/opera.mjs 706 B 0 B
packages/core/dist/error-tracking/parsers/react-native.js 203 B 0 B
packages/core/dist/error-tracking/parsers/react-native.mjs 0 B 0 B 🆕
packages/core/dist/error-tracking/parsers/safari.js 1.88 kB 0 B
packages/core/dist/error-tracking/parsers/safari.mjs 574 B 0 B
packages/core/dist/error-tracking/parsers/winjs.js 1.7 kB 0 B
packages/core/dist/error-tracking/parsers/winjs.mjs 406 B 0 B
packages/core/dist/error-tracking/types.js 1.33 kB 0 B
packages/core/dist/error-tracking/types.mjs 131 B 0 B
packages/core/dist/error-tracking/utils.js 1.8 kB 0 B
packages/core/dist/error-tracking/utils.mjs 604 B 0 B
packages/core/dist/eventemitter.js 1.78 kB 0 B
packages/core/dist/eventemitter.mjs 571 B 0 B
packages/core/dist/featureFlagUtils.js 6.5 kB 0 B
packages/core/dist/featureFlagUtils.mjs 4.28 kB 0 B
packages/core/dist/gzip.js 1.88 kB 0 B
packages/core/dist/gzip.mjs 577 B 0 B
packages/core/dist/index.js 6.07 kB 0 B
packages/core/dist/index.mjs 649 B 0 B
packages/core/dist/posthog-core-stateless.js 29.5 kB 0 B
packages/core/dist/posthog-core-stateless.mjs 27 kB 0 B
packages/core/dist/posthog-core.js 28.4 kB 0 B
packages/core/dist/posthog-core.mjs 24.3 kB 0 B
packages/core/dist/testing/index.js 2.93 kB 0 B
packages/core/dist/testing/index.mjs 79 B 0 B
packages/core/dist/testing/PostHogCoreTestClient.js 3.15 kB 0 B
packages/core/dist/testing/PostHogCoreTestClient.mjs 1.74 kB 0 B
packages/core/dist/testing/test-utils.js 2.71 kB 0 B
packages/core/dist/testing/test-utils.mjs 1.03 kB 0 B
packages/core/dist/types.js 8.2 kB 0 B
packages/core/dist/types.mjs 5.93 kB 0 B
packages/core/dist/utils/bucketed-rate-limiter.js 3.14 kB 0 B
packages/core/dist/utils/bucketed-rate-limiter.mjs 1.76 kB 0 B
packages/core/dist/utils/index.js 9.26 kB 0 B
packages/core/dist/utils/index.mjs 1.88 kB 0 B
packages/core/dist/utils/number-utils.js 2 kB 0 B
packages/core/dist/utils/number-utils.mjs 735 B 0 B
packages/core/dist/utils/promise-queue.js 2 kB 0 B
packages/core/dist/utils/promise-queue.mjs 768 B 0 B
packages/core/dist/utils/string-utils.js 1.91 kB 0 B
packages/core/dist/utils/string-utils.mjs 414 B 0 B
packages/core/dist/utils/type-utils.js 6.93 kB 0 B
packages/core/dist/utils/type-utils.mjs 3.03 kB 0 B
packages/core/dist/vendor/uuidv7.js 8.29 kB 0 B
packages/core/dist/vendor/uuidv7.mjs 6.72 kB 0 B
packages/nextjs-config/dist/config.js 5.51 kB 0 B
packages/nextjs-config/dist/config.mjs 4.03 kB 0 B
packages/nextjs-config/dist/index.js 2.24 kB 0 B
packages/nextjs-config/dist/index.mjs 30 B 0 B
packages/nextjs-config/dist/utils.js 6.06 kB 0 B
packages/nextjs-config/dist/utils.mjs 3.54 kB 0 B
packages/nextjs-config/dist/utils.spec.js 723 B 0 B
packages/nextjs-config/dist/utils.spec.mjs 455 B 0 B
packages/nextjs-config/dist/webpack-plugin.js 3.69 kB 0 B
packages/nextjs-config/dist/webpack-plugin.mjs 1.98 kB 0 B
packages/node/dist/client.js 22.7 kB 0 B
packages/node/dist/client.mjs 20.8 kB 0 B
packages/node/dist/entrypoints/index.edge.js 3.81 kB 0 B
packages/node/dist/entrypoints/index.edge.mjs 449 B 0 B
packages/node/dist/entrypoints/index.node.js 4.66 kB 0 B
packages/node/dist/entrypoints/index.node.mjs 684 B 0 B
packages/node/dist/exports.js 3.6 kB 0 B
packages/node/dist/exports.mjs 124 B 0 B
packages/node/dist/extensions/error-tracking/autocapture.js 2.65 kB 0 B
packages/node/dist/extensions/error-tracking/autocapture.mjs 1.23 kB 0 B
packages/node/dist/extensions/error-tracking/chunk-ids.js 2.55 kB 0 B
packages/node/dist/extensions/error-tracking/chunk-ids.mjs 1.32 kB 0 B
packages/node/dist/extensions/error-tracking/context-lines.node.js 8.86 kB 0 B
packages/node/dist/extensions/error-tracking/context-lines.node.mjs 7.13 kB 0 B
packages/node/dist/extensions/error-tracking/error-conversion.js 7.21 kB 0 B
packages/node/dist/extensions/error-tracking/error-conversion.mjs 5.53 kB 0 B
packages/node/dist/extensions/error-tracking/get-module.node.js 2.56 kB 0 B
packages/node/dist/extensions/error-tracking/get-module.node.mjs 1.2 kB 0 B
packages/node/dist/extensions/error-tracking/index.js 3.92 kB 0 B
packages/node/dist/extensions/error-tracking/index.mjs 2.58 kB 0 B
packages/node/dist/extensions/error-tracking/reduceable-cache.js 1.8 kB 0 B
packages/node/dist/extensions/error-tracking/reduceable-cache.mjs 604 B 0 B
packages/node/dist/extensions/error-tracking/stack-parser.js 5.79 kB 0 B
packages/node/dist/extensions/error-tracking/stack-parser.mjs 4.58 kB 0 B
packages/node/dist/extensions/error-tracking/type-checking.js 2.58 kB 0 B
packages/node/dist/extensions/error-tracking/type-checking.mjs 948 B 0 B
packages/node/dist/extensions/error-tracking/types.js 1.33 kB 0 B
packages/node/dist/extensions/error-tracking/types.mjs 131 B 0 B
packages/node/dist/extensions/express.js 2.17 kB 0 B
packages/node/dist/extensions/express.mjs 548 B 0 B
packages/node/dist/extensions/feature-flags/crypto-helpers.js 2.72 kB 0 B
packages/node/dist/extensions/feature-flags/crypto-helpers.mjs 624 B 0 B
packages/node/dist/extensions/feature-flags/crypto.js 1.96 kB 0 B
packages/node/dist/extensions/feature-flags/crypto.mjs 673 B 0 B
packages/node/dist/extensions/feature-flags/feature-flags.js 26.8 kB 0 B
packages/node/dist/extensions/feature-flags/feature-flags.mjs 25 kB 0 B
packages/node/dist/extensions/feature-flags/lazy.js 1.89 kB 0 B
packages/node/dist/extensions/feature-flags/lazy.mjs 739 B 0 B
packages/node/dist/extensions/sentry-integration.js 4.7 kB 0 B
packages/node/dist/extensions/sentry-integration.mjs 3.21 kB 0 B
packages/node/dist/storage-memory.js 1.52 kB 0 B
packages/node/dist/storage-memory.mjs 297 B 0 B
packages/node/dist/types.js 603 B 0 B
packages/node/dist/types.mjs 0 B 0 B 🆕
packages/node/dist/utils/logger.js 2.16 kB 0 B
packages/node/dist/utils/logger.mjs 971 B 0 B
packages/node/dist/version.js 1.21 kB 0 B
packages/node/dist/version.mjs 45 B 0 B
packages/react-native/dist/autocapture.js 4.68 kB 0 B
packages/react-native/dist/frameworks/wix-navigation.js 1.3 kB 0 B
packages/react-native/dist/hooks/useFeatureFlag.js 1.49 kB 0 B
packages/react-native/dist/hooks/useFeatureFlags.js 821 B 0 B
packages/react-native/dist/hooks/useNavigationTracker.js 2.46 kB 0 B
packages/react-native/dist/hooks/usePostHog.js 467 B 0 B
packages/react-native/dist/index.js 3.12 kB 0 B
packages/react-native/dist/native-deps.js 13.9 kB 0 B
packages/react-native/dist/optional/OptionalAsyncStorage.js 299 B 0 B
packages/react-native/dist/optional/OptionalExpoApplication.js 377 B 0 B
packages/react-native/dist/optional/OptionalExpoDevice.js 347 B 0 B
packages/react-native/dist/optional/OptionalExpoFileSystem.js 386 B 0 B
packages/react-native/dist/optional/OptionalExpoFileSystemLegacy.js 423 B 0 B
packages/react-native/dist/optional/OptionalExpoLocalization.js 383 B 0 B
packages/react-native/dist/optional/OptionalReactNativeDeviceInfo.js 415 B 0 B
packages/react-native/dist/optional/OptionalReactNativeLocalize.js 303 B 0 B
packages/react-native/dist/optional/OptionalReactNativeNavigation.js 415 B 0 B
packages/react-native/dist/optional/OptionalReactNativeNavigationWix.js 443 B 0 B
packages/react-native/dist/optional/OptionalReactNativeSafeArea.js 644 B 0 B
packages/react-native/dist/optional/OptionalSessionReplay.js 455 B 0 B
packages/react-native/dist/posthog-rn.js 31.4 kB 0 B
packages/react-native/dist/PostHogContext.js 329 B 0 B
packages/react-native/dist/PostHogProvider.js 4.77 kB 0 B
packages/react-native/dist/storage.js 3.39 kB 0 B
packages/react-native/dist/surveys/components/BottomSection.js 1.34 kB 0 B
packages/react-native/dist/surveys/components/Cancel.js 909 B 0 B
packages/react-native/dist/surveys/components/ConfirmationMessage.js 1.58 kB 0 B
packages/react-native/dist/surveys/components/QuestionHeader.js 1.11 kB 0 B
packages/react-native/dist/surveys/components/QuestionTypes.js 10.1 kB 0 B
packages/react-native/dist/surveys/components/SurveyModal.js 3.86 kB 0 B
packages/react-native/dist/surveys/components/Surveys.js 6.18 kB 0 B
packages/react-native/dist/surveys/getActiveMatchingSurveys.js 3.48 kB 0 B
packages/react-native/dist/surveys/icons.js 7.76 kB 0 B
packages/react-native/dist/surveys/index.js 600 B 0 B
packages/react-native/dist/surveys/PostHogSurveyProvider.js 5.61 kB 0 B
packages/react-native/dist/surveys/surveys-utils.js 9.31 kB 0 B
packages/react-native/dist/surveys/useActivatedSurveys.js 3.38 kB 0 B
packages/react-native/dist/surveys/useSurveyStorage.js 2.16 kB 0 B
packages/react-native/dist/types.js 70 B 0 B
packages/react-native/dist/version.js 129 B 0 B
packages/react/dist/esm/index.js 15.1 kB 0 B
packages/react/dist/umd/index.js 17.8 kB 0 B
packages/web/dist/index.cjs 13.8 kB 0 B
packages/web/dist/index.mjs 13.7 kB 0 B
tooling/rollup-utils/dist/index.js 1.17 kB 0 B

compressed-size-action

@posthog-bot
Copy link
Collaborator

This PR hasn't seen activity in a week! Should it be merged, closed, or further worked on? If you want to keep it open, post a comment or remove the stale label – otherwise this will be closed in another week.

@rafaeelaudibert
Copy link
Member

@robbie-c any reason why this is still in draft?

rafaeelaudibert
rafaeelaudibert reviewed Sep 19, 2025
View reviewed changes
@posthog-bot posthog-bot removed the stale label Sep 22, 2025
@robbie-c
Copy link
Member Author

any reason why this is still in draft?

Only that I had bigger fish to fry. Let's get this merged though

@robbie-c robbie-c force-pushed the mask-cookie-campaign-params branch from a4dbdcc to ab1e72b Compare September 24, 2025 10:44
@robbie-c robbie-c marked this pull request as ready for review September 24, 2025 10:44
greptile-apps[bot]
greptile-apps bot reviewed Sep 24, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 files reviewed, 2 comments

Edit Code Review Bot Settings | Greptile

packages/browser/src/utils/request-utils.ts
}

// replace any query params in the url with the provided mask value. Tries to keep the URL as instant as possible,
// replace any query params in the url with the provided mask value. Tries to keep the URL as intact as possible,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

syntax: typo: "instant" should be "intact"

Suggested change
// replace any query params in the url with the provided mask value. Tries to keep the URL as intact as possible,
// replace any query params in the url with the provided mask value. Tries to keep the URL as intact as possible,

packages/browser/src/utils/event-utils.ts Outdated
maskQueryParams(document.URL, paramsToMask, MASKED),
customTrackedParams
)
const urlCampaignParams = _getCampaignParamsFromUrl(document.URL, config?.custom_campaign_params)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: removed masking from URL extraction which could expose sensitive URL parameters

Suggested change
const urlCampaignParams = _getCampaignParamsFromUrl(document.URL, config?.custom_campaign_params)
const urlCampaignParams = _getCampaignParamsFromUrl(maskQueryParams(document.URL, paramsToMask, MASKED), config?.custom_campaign_params)

@robbie-c robbie-c force-pushed the mask-cookie-campaign-params branch from d215c0e to c2b1f60 Compare September 24, 2025 10:46
@robbie-c
Copy link
Member Author

@rafaeelaudibert I remembered why, it's because web experiments called this from a static function, and I didn't want to refactor it. I just did that, tagging @PostHog/team-experiments in case you want to have a look at the changes

@robbie-c robbie-c requested a review from a team September 24, 2025 11:39
@robbie-c robbie-c added the bump patch Bump patch version when this PR gets merged label Sep 24, 2025
@rafaeelaudibert
Copy link
Member

any reason why this is still in draft?

Only that I had bigger fish to fry. Let's get this merged though

You are truly British, can I have some with chips?

@posthog-bot
Copy link
Collaborator

This PR hasn't seen activity in a week! Should it be merged, closed, or further worked on? If you want to keep it open, post a comment or remove the stale label – otherwise this will be closed in another week.

@posthog-bot
Copy link
Collaborator

This PR was closed due to lack of activity. Feel free to reopen if it's still relevant.

@posthog-bot posthog-bot closed this Oct 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rafaeelaudibert rafaeelaudibert rafaeelaudibert approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bump patch Bump patch version when this PR gets merged stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robbie-c @posthog-bot @rafaeelaudibert