Skip to content

Commit

Permalink
Merge pull request MozillaReality#241 from cvan/fix-origin-check-in-t…
Browse files Browse the repository at this point in the history 
…elemetry

improve origin check in `telemetry.js` (follow up to PR MozillaReality#236 and issue MozillaReality#223)
  • Loading branch information
@cvan
cvan committed Apr 13, 2018
2 parents 86766f8 + 4843ac4 commit 88a12ca
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 28 deletions.
34 changes: 20 additions & 14 deletions Assets/WebGLTemplates/WebVR/lib/telemetry.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,22 +26,28 @@ var endsWith = function (str, suffix) {
return str.indexOf(suffix, str.length - suffix.length) !== -1;
};

// Check if the origin looks like a production, non-development host (i.e., public and served over HTTPS).
// Check if the origin looks like a non-public development host.
// Relevant reading: https://w3c.github.io/webappsec-secure-contexts/#localhost
var isInsecureOrigin = function (win) {
// Allow HTTPS and HTTP.
if (win.isSecureContext === true || win.location.protocol === 'http:') {
var isDevOrigin = function (win) {
if (win.location.hostname === 'localhost' ||
endsWith(win.location.hostname, '.localhost') ||
win.location.hostname === '127.0.1' ||
win.location.hostname.indexOf('192.168.') === 0 ||
win.location.hostname === '0.0.0.0' ||
win.location.host.indexOf('::1') === 0 ||
endsWith(win.location.hostname, '.ngrok.io') ||
endsWith(win.location.hostname, '.localtunnel.me')) {
return true;
}
// A production URL can start with `http://` or `https://` (but not `file:///`).
if (win.location.protocol === 'http:') {
return false;
}
// Do not allow insecure-context origin (e.g., `file:///` paths).
if ('isSecureContext' in win && win.isSecureContext === true) {
return false;
}
return (
win.location.hostname === 'localhost' ||
endsWith(win.location.hostname, '.localhost') ||
win.location.hostname === '127.0.1' ||
win.location.hostname === '0.0.0.0' ||
win.location.host.indexOf('::1') === 0 ||
endsWith(win.location.hostname, '.ngrok.io') ||
endsWith(win.location.hostname, '.localtunnel.me')
);
return true;
};

var CURRENT_VERSION = '1.2.0';
Expand Down Expand Up @@ -228,7 +234,7 @@ function doNotTrack () {

function isTelemetryDisabled () {
// Telemetry is disabled if DNT is enabled or if the origin appears to be for a development environment.
return doNotTrack() || isInsecureOrigin(window);
return doNotTrack() || isDevOrigin(window);
}

})(window);
34 changes: 20 additions & 14 deletions Build/lib/telemetry.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,22 +26,28 @@ var endsWith = function (str, suffix) {
return str.indexOf(suffix, str.length - suffix.length) !== -1;
};

// Check if the origin looks like a production, non-development host (i.e., public and served over HTTPS).
// Check if the origin looks like a non-public development host.
// Relevant reading: https://w3c.github.io/webappsec-secure-contexts/#localhost
var isInsecureOrigin = function (win) {
// Allow HTTPS and HTTP.
if (win.isSecureContext === true || win.location.protocol === 'http:') {
var isDevOrigin = function (win) {
if (win.location.hostname === 'localhost' ||
endsWith(win.location.hostname, '.localhost') ||
win.location.hostname === '127.0.1' ||
win.location.hostname.indexOf('192.168.') === 0 ||
win.location.hostname === '0.0.0.0' ||
win.location.host.indexOf('::1') === 0 ||
endsWith(win.location.hostname, '.ngrok.io') ||
endsWith(win.location.hostname, '.localtunnel.me')) {
return true;
}
// A production URL can start with `http://` or `https://` (but not `file:///`).
if (win.location.protocol === 'http:') {
return false;
}
// Do not allow insecure-context origin (e.g., `file:///` paths).
if ('isSecureContext' in win && win.isSecureContext === true) {
return false;
}
return (
win.location.hostname === 'localhost' ||
endsWith(win.location.hostname, '.localhost') ||
win.location.hostname === '127.0.1' ||
win.location.hostname === '0.0.0.0' ||
win.location.host.indexOf('::1') === 0 ||
endsWith(win.location.hostname, '.ngrok.io') ||
endsWith(win.location.hostname, '.localtunnel.me')
);
return true;
};

var CURRENT_VERSION = '1.2.0';
Expand Down Expand Up @@ -228,7 +234,7 @@ function doNotTrack () {

function isTelemetryDisabled () {
// Telemetry is disabled if DNT is enabled or if the origin appears to be for a development environment.
return doNotTrack() || isInsecureOrigin(window);
return doNotTrack() || isDevOrigin(window);
}

})(window);

0 comments on commit 88a12ca

Please sign in to comment.