fix: heroku subdomain check (#842)

* fix: heroku subdomain check * satisfy codeql like this? * more tests
PostHog · Oct 23, 2023 · 719b3a8 · 719b3a8
1 parent 8ca6d94
commit 719b3a8
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/src/__tests__/utils.js b/src/__tests__/utils.js
@@ -12,6 +12,7 @@ import {
     DEFAULT_BLOCKED_UA_STRS,
     loadScript,
     _isUrlMatchingRegex,
+    isCrossDomainCookie,
 } from '../utils'
 
 function userAgentFor(botString) {
@@ -272,4 +273,20 @@ describe('loadScript', () => {
             expect(_isUrlMatchingRegex('https://example.com/something/test', 'example.com/(.*.)/test')).toEqual(true)
         })
     })
+
+    describe('check for cross domain cookies', () => {
+        it.each([
+            [false, 'https://test.herokuapp.com'],
+            [false, 'test.herokuapp.com'],
+            [false, 'herokuapp.com'],
+            // ensure it isn't matching herokuapp anywhere in the domain
+            [true, 'https://test.herokuapp.com.impersonator.io'],
+            [false, undefined],
+            [true, 'https://bbc.co.uk'],
+            [true, 'bbc.co.uk'],
+            [true, 'www.bbc.co.uk'],
+        ])('should return %s when hostname is %s', (expectedResult, hostname) => {
+            expect(isCrossDomainCookie({ hostname })).toEqual(expectedResult)
+        })
+    })
 })
diff --git a/src/posthog-core.ts b/src/posthog-core.ts
@@ -16,6 +16,7 @@ import {
     userAgent,
     window,
     logger,
+    isCrossDomainCookie,
 } from './utils'
 import { autocapture } from './autocapture'
 import { PostHogFeatureFlags } from './posthog-featureflags'
@@ -109,7 +110,7 @@ const defaultConfig = (): PostHogConfig => ({
     token: '',
     autocapture: true,
     rageclick: true,
-    cross_subdomain_cookie: document?.location?.hostname?.indexOf('herokuapp.com') === -1,
+    cross_subdomain_cookie: isCrossDomainCookie(document?.location),
     persistence: 'cookie',
     persistence_name: '',
     cookie_name: '',

diff --git a/src/utils.ts b/src/utils.ts
@@ -955,4 +955,16 @@ export const _info = {
     },
 }
 
+export function isCrossDomainCookie(documentLocation: Location | undefined) {
+    const hostname = documentLocation?.hostname
+
+    if (!_isString(hostname)) {
+        return false
+    }
+    // split and slice isn't a great way to match arbitrary domains,
+    // but it's good enough for ensuring we only match herokuapp.com when it is the TLD
+    // for the hostname
+    return hostname.split('.').slice(-2).join('.').indexOf('herokuapp.com') === -1
+}
+
 export { win as window, userAgent, document }