fix: protect against broken new URL when proxying

Fixes #608

Author: harlan-zw

src/module.ts

@@ -484,7 +484,7 @@ export default defineNuxtPlugin({
               ? parsed.pathname.slice(rule.pathPrefix.length)
               : parsed.pathname;
             const separator = pathWithoutPrefix.startsWith('/') ? '' : '/';
-            const proxyUrl = rule.target + separator + pathWithoutPrefix + parsed.search;
+            const proxyUrl = window.location.origin + rule.target + separator + pathWithoutPrefix + parsed.search;
 
             return originalBeacon(proxyUrl, data);
           }

src/runtime/registry/posthog.ts

@@ -75,9 +75,12 @@ export function useScriptPostHog<T extends PostHogApi>(_options?: PostHogInput)
           }
 
           const region = options?.region || 'us'
-          const apiHost = options?.apiHost || (region === 'eu'
+          let apiHost = options?.apiHost || (region === 'eu'
             ? 'https://eu.i.posthog.com'
             : 'https://us.i.posthog.com')
+          // Resolve relative proxy paths to absolute URLs so SDKs using new URL() don't throw
+          if (apiHost.startsWith('/'))
+            apiHost = window.location.origin + apiHost
 
           window.__posthogInitPromise = import('posthog-js')
             .then(({ default: posthog }) => {

src/runtime/utils/pure.ts

@@ -93,7 +93,11 @@ export function rewriteScriptUrls(content: string, rewrites: ProxyRewrite[]): st
         const rewritten = rewriteSuffix === '/' || rewriteSuffix.startsWith('?') || rewriteSuffix.startsWith('#')
           ? to + rewriteSuffix
           : joinURL(to, rewriteSuffix)
-        return quote + rewritten + quote
+        // Produce absolute URL by prepending self.location.origin as an expression.
+        // This breaks out of the string literal: "https://example.com/path" → self.location.origin+"/_proxy/path"
+        // Necessary because some SDKs (e.g. TikTok) pass URLs to new URL() without a base argument,
+        // which requires an absolute URL.
+        return 'self.location.origin+' + quote + rewritten + quote
       }
 
       return match
@@ -105,11 +109,11 @@ export function rewriteScriptUrls(content: string, rewrites: ProxyRewrite[]): st
   if (gaRewrite) {
     result = result.replace(
       /"https:\/\/"\+\(.*?\)\+"\.google-analytics\.com\/g\/collect"/g,
-      `"${gaRewrite.to}"`,
+      `self.location.origin+"${gaRewrite.to}"`,
     )
     result = result.replace(
       /"https:\/\/"\+\(.*?\)\+"\.analytics\.google\.com\/g\/collect"/g,
-      `"${gaRewrite.to}"`,
+      `self.location.origin+"${gaRewrite.to}"`,
     )
   }
 

test/unit/proxy-configs.test.ts

@@ -8,39 +8,39 @@ describe('proxy configs', () => {
       const output = rewriteScriptUrls(input, [
         { from: 'www.google-analytics.com', to: '/_scripts/c/ga' },
       ])
-      expect(output).toBe(`fetch("/_scripts/c/ga/g/collect")`)
+      expect(output).toBe(`fetch(self.location.origin+"/_scripts/c/ga/g/collect")`)
     })
 
     it('rewrites https URLs with single quotes', () => {
       const input = `url='https://www.google-analytics.com/analytics.js'`
       const output = rewriteScriptUrls(input, [
         { from: 'www.google-analytics.com', to: '/_scripts/c/ga' },
       ])
-      expect(output).toBe(`url='/_scripts/c/ga/analytics.js'`)
+      expect(output).toBe(`url=self.location.origin+'/_scripts/c/ga/analytics.js'`)
     })
 
     it('rewrites https URLs with backticks', () => {
       const input = 'const u=`https://www.google-analytics.com/collect`'
       const output = rewriteScriptUrls(input, [
         { from: 'www.google-analytics.com', to: '/_scripts/c/ga' },
       ])
-      expect(output).toBe('const u=`/_scripts/c/ga/collect`')
+      expect(output).toBe('const u=self.location.origin+`/_scripts/c/ga/collect`')
     })
 
     it('rewrites protocol-relative URLs', () => {
       const input = `"//www.google-analytics.com/analytics.js"`
       const output = rewriteScriptUrls(input, [
         { from: 'www.google-analytics.com', to: '/_scripts/c/ga' },
       ])
-      expect(output).toBe(`"/_scripts/c/ga/analytics.js"`)
+      expect(output).toBe(`self.location.origin+"/_scripts/c/ga/analytics.js"`)
     })
 
     it('rewrites http URLs', () => {
       const input = `"http://www.google-analytics.com/analytics.js"`
       const output = rewriteScriptUrls(input, [
         { from: 'www.google-analytics.com', to: '/_scripts/c/ga' },
       ])
-      expect(output).toBe(`"/_scripts/c/ga/analytics.js"`)
+      expect(output).toBe(`self.location.origin+"/_scripts/c/ga/analytics.js"`)
     })
 
     it('handles multiple rewrites in single content', () => {
@@ -52,24 +52,24 @@ describe('proxy configs', () => {
         { from: 'www.google-analytics.com', to: '/_scripts/c/ga' },
         { from: 'analytics.google.com', to: '/_scripts/c/ga' },
       ])
-      expect(output).toContain(`"/_scripts/c/ga/g/collect"`)
-      expect(output).toContain(`"/_scripts/c/ga/collect"`)
+      expect(output).toContain(`self.location.origin+"/_scripts/c/ga/g/collect"`)
+      expect(output).toContain(`self.location.origin+"/_scripts/c/ga/collect"`)
     })
 
     it('handles GTM URLs', () => {
       const input = `src="https://www.googletagmanager.com/gtm.js?id=GTM-XXXX"`
       const output = rewriteScriptUrls(input, [
         { from: 'www.googletagmanager.com', to: '/_scripts/c/gtm' },
       ])
-      expect(output).toBe(`src="/_scripts/c/gtm/gtm.js?id=GTM-XXXX"`)
+      expect(output).toBe(`src=self.location.origin+"/_scripts/c/gtm/gtm.js?id=GTM-XXXX"`)
     })
 
     it('handles Meta Pixel URLs', () => {
       const input = `"https://connect.facebook.net/en_US/fbevents.js"`
       const output = rewriteScriptUrls(input, [
         { from: 'connect.facebook.net', to: '/_scripts/c/meta' },
       ])
-      expect(output).toBe(`"/_scripts/c/meta/en_US/fbevents.js"`)
+      expect(output).toBe(`self.location.origin+"/_scripts/c/meta/en_US/fbevents.js"`)
     })
 
     it('does not rewrite bare domain strings without fromPath', () => {