Update posthog script

[carlosabadia]

No description provided.

[greptile-apps]

Greptile Summary

This PR updates the PostHog initialization snippet in POSTHOG_SCRIPT_TEMPLATE to a newer version of the PostHog JS stub (adding newer API methods like captureTraceFeedback, captureTraceMetric, get_explicit_consent_status, etc.) and adds person_profiles: 'always' to the init config (previously flagged in review thread). The rest of the file — helper functions and constants — is unchanged from PR #6310.

Confidence Score: 5/5

Safe to merge; the snippet update is standard PostHog boilerplate and the only non-P2 concern (person_profiles: 'always') was already addressed in a prior review thread.

The changes are a routine PostHog snippet version bump and a single config addition. No P0/P1 issues were identified in the new code. The recordCrossOriginIframes flag warrants a documentation comment but does not block merge.

packages/reflex-ui/src/reflex_ui/blocks/telemetry/posthog.py — review the recordCrossOriginIframes: true setting against any embedded cross-origin iframes in the codebase.

Vulnerabilities

• recordCrossOriginIframes: true in session_recording may cause PostHog to attempt recording content from embedded third-party iframes; if sensitive iframes (e.g. payment widgets) are present, this warrants a GDPR/CCPA review.
• No other security concerns identified (API keys are not hardcoded, script template formatting is correct with properly escaped Python format placeholders).

Important Files Changed

Filename	Overview
packages/reflex-ui/src/reflex_ui/blocks/telemetry/posthog.py	PostHog initialization snippet updated to a newer version of the stub; person_profiles: 'always' added; recordCrossOriginIframes: true is set in session_recording, which captures cross-origin iframe content and may have privacy implications.

Sequence Diagram

sequenceDiagram
    participant Browser
    participant ReflexApp as Reflex App (rx.script)
    participant PostHogProxy as pg.reflex.dev (Proxy)
    participant PostHogUS as us.posthog.com

    Browser->>ReflexApp: Page load
    ReflexApp->>Browser: Inject POSTHOG_SCRIPT_TEMPLATE
    Browser->>PostHogProxy: GET /static/array.js (PostHog SDK)
    PostHogProxy-->>Browser: PostHog SDK JS
    Browser->>PostHogProxy: posthog.init(project_id, {api_host, ui_host, person_profiles:'always'})
    note over Browser,PostHogProxy: Session recording with recordCrossOriginIframes:true
    Browser->>PostHogProxy: Capture events / session data
    PostHogProxy->>PostHogUS: Forward events
    note over Browser: identify_posthog_user() / track_*_form_posthog_submission()
    Browser->>PostHogProxy: posthog.identify() + posthog.capture()

Loading

_{Reviews (2): Last reviewed commit: "always" | Re-trigger Greptile}

[codspeed-hq]

Merging this PR will not alter performance

✅ 9 untouched benchmarks

---

_{Comparing carlos/update-posthog-script-proxy (6d9642f) with main (1dd2d1a)}

[greptile-apps]

Tip:

Greploop — Automatically fix all review issues by running /greploops in Claude Code. It iterates: fix, push, re-review, repeat until 5/5 confidence.

Use the Greptile plugin for Claude Code to query reviews, search comments, and manage custom context directly from your terminal.

[greptile-apps]

Greptile encountered an error while reviewing this PR. Please reach out to support@greptile.com for assistance.