You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: FIRST_PARTY.md
+16Lines changed: 16 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -53,6 +53,22 @@ Some SDKs have quirks that require targeted regex patches after AST rewriting. T
53
53
54
54
Note: Google Analytics previously needed `postProcess` regex patches for dynamically constructed collect URLs. This is no longer needed since the runtime intercept plugin catches all non-same-origin URLs at the `sendBeacon`/`fetch` call site.
55
55
56
+
## Path aliases (`proxy.alias`)
57
+
58
+
By default proxy paths embed the verbatim third-party hostname (`/_scripts/p/us.i.posthog.com/e/`), which leaks self-hosted/internal domains and is trivially classified by ad-blockers. `scripts.proxy.alias` replaces the hostname segment with an alias:
59
+
-`true` — auto-generate a short deterministic hash per domain (`sha256(domain).slice(0,8)`)
The pure logic lives in `proxy-alias.ts` (`aliasForDomain`, `buildDomainAliasMap`, `invertAliasMap`, `aliasProxyValue`). The module builds a `domain → alias` map from every proxied domain (those in `domainPrivacy`) and threads it through every point that emits a proxy path:
-**Auto-inject** (`applyAutoInject`): `aliasProxyValue` rewrites the host segment of the computed endpoint
65
+
-**Runtime intercept** (`intercept.ts`): embeds the alias map; `proxyUrl` maps `parsed.host → alias`
66
+
-**Partytown** (`generatePartytownResolveUrl`): embeds the alias map; worker requests map `url.host → alias`
67
+
-**Server handler** (`proxy-handler.ts`): the inverted `aliasToDomain` map resolves the alias segment back to the real domain before allowlist matching and forwarding (verbatim hostnames still resolve, so aliasing is non-breaking)
68
+
-**Devtools** (`useScript.ts` network matcher): `aliasToDomain` is exposed in devtools config so aliased requests still attribute to their script
69
+
70
+
Wildcard domains (`*`) are never aliased — they have no literal path form to rewrite and only exist for runtime allowlist matching.
71
+
56
72
## Key mapping
57
73
58
74
Proxy config keys match registry keys directly — no indirection layer. A script's `registryKey` is used to look up its proxy config from `proxy-configs.ts`.
By default, proxied requests embed the real third-party hostname in the path, for example `/_scripts/p/us.i.posthog.com/e/`. For self-hosted services this leaks your internal domain (e.g. `/_scripts/p/analytics.internal.example.com/api/send`) into client-facing URLs, and the verbatim hostname makes requests easy for ad-blockers and network observers to classify.
150
+
151
+
Use `proxy.alias` to replace hostnames with an alias in the path. The real domain never appears in the URL.
152
+
153
+
Set `alias: true` to auto-generate a short opaque alias per domain:
154
+
155
+
```ts [nuxt.config.ts]
156
+
exportdefaultdefineNuxtConfig({
157
+
scripts: {
158
+
proxy: {
159
+
alias: true, // /_scripts/p/a1b2c3d4/e/
160
+
}
161
+
}
162
+
})
163
+
```
164
+
165
+
Or map specific domains to custom aliases. Domains not listed keep their verbatim hostname:
166
+
167
+
```ts [nuxt.config.ts]
168
+
exportdefaultdefineNuxtConfig({
169
+
scripts: {
170
+
proxy: {
171
+
alias: {
172
+
'us.i.posthog.com': 'ph',
173
+
'analytics.internal.example.com': 'a',
174
+
}
175
+
}
176
+
}
177
+
})
178
+
```
179
+
180
+
Aliases apply everywhere a proxy path is produced: build-time URL rewrites, auto-injected endpoints (such as PostHog's `apiHost`), runtime-intercepted requests, and Partytown worker requests. The server handler resolves the alias back to the real domain before forwarding upstream.
181
+
182
+
::callout{type="info"}
183
+
Aliases only change the path segment. To also change the `/_scripts/p` prefix itself, set the top-level `prefix` option (e.g. `prefix: '/_t'`).
184
+
::
185
+
186
+
::callout{type="warning"}
187
+
Aliases keep the real hostname out of request **URLs**, which is what ad-blockers and network observers match on. For scripts whose collection URL is built at runtime (e.g. a self-hosted endpoint passed via config), the real host can still appear in the client JavaScript, since the script needs to know where it would otherwise send. Aliasing does not obfuscate your bundle, it removes the hostname from the network-visible path.
thrownewError(`[nuxt-scripts] Invalid proxy alias "${alias}" for "${domain}": use a single URL-safe path segment (letters, digits, '-', '_', '.').`)
961
+
if(realDomains.has(alias))
962
+
thrownewError(`[nuxt-scripts] Proxy alias "${alias}" for "${domain}" collides with proxied domain "${alias}". Pick an alias that is not also a proxied hostname.`)
963
+
constprev=aliasOwner.get(alias)
964
+
if(prev)
965
+
thrownewError(`[nuxt-scripts] Proxy alias collision: "${prev}" and "${domain}" both map to "${alias}". Give each domain a unique alias.`)
0 commit comments