Heap integration defaults to http in moz-extension contexts. #250
Comments
|
Digging deeper, seems more appropriate to fix the issue here: Since that chunk of code is what's causing the root issue and is already working around a variant of this problem for file:// schemes. But the scope of the change is much larger. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm using segment within a web-extension codebase that supports both Chrome and Firefox.
The heap integration for segment does not specify a scheme for the injected script:
https://github.com/segmentio/analytics.js-integrations/blob/master/integrations/heap/lib/index.js#L24
When this script is injected into the background script of a Chrome extension, the protocol is correctly resolved as https.
When this script is injected into the background script of a Firefox extension, the scheme reverts to http.
see: https://imgur.com/a/wumClPn
I'd really prefer not to load mixed content in our extension. I'd also like my analytics code to not be vulnerable to MITM attacks.
Right now the workaround is ugly - Stick a mutationObserver on the page, wait for analytics.js to inject the heap script, then fix the scheme myself and re-inject.
I'd like to propose a check in the heap integration for the following two protocols:
"moz-extension:"
"chrome-extension:"
If window.location.protocol is either of those values, I believe the integration should specify the scheme as 'https://' instead of leaving it empty and getting mixed behavior across browsers.
I'm happy to put the PR together myself if needed.
The text was updated successfully, but these errors were encountered: