You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When this script is injected into the background script of a Chrome extension, the protocol is correctly resolved as https.
When this script is injected into the background script of a Firefox extension, the scheme reverts to http.
see: https://imgur.com/a/wumClPn
I'd really prefer not to load mixed content in our extension. I'd also like my analytics code to not be vulnerable to MITM attacks.
Right now the workaround is ugly - Stick a mutationObserver on the page, wait for analytics.js to inject the heap script, then fix the scheme myself and re-inject.
I'd like to propose a check in the heap integration for the following two protocols:
"moz-extension:"
"chrome-extension:"
If window.location.protocol is either of those values, I believe the integration should specify the scheme as 'https://' instead of leaving it empty and getting mixed behavior across browsers.
I'm happy to put the PR together myself if needed.
The text was updated successfully, but these errors were encountered:
I'm using segment within a web-extension codebase that supports both Chrome and Firefox.
The heap integration for segment does not specify a scheme for the injected script:
https://github.com/segmentio/analytics.js-integrations/blob/master/integrations/heap/lib/index.js#L24
When this script is injected into the background script of a Chrome extension, the protocol is correctly resolved as https.
When this script is injected into the background script of a Firefox extension, the scheme reverts to http.
see: https://imgur.com/a/wumClPn
I'd really prefer not to load mixed content in our extension. I'd also like my analytics code to not be vulnerable to MITM attacks.
Right now the workaround is ugly - Stick a mutationObserver on the page, wait for analytics.js to inject the heap script, then fix the scheme myself and re-inject.
I'd like to propose a check in the heap integration for the following two protocols:
"moz-extension:"
"chrome-extension:"
If window.location.protocol is either of those values, I believe the integration should specify the scheme as 'https://' instead of leaving it empty and getting mixed behavior across browsers.
I'm happy to put the PR together myself if needed.
The text was updated successfully, but these errors were encountered: