option to not send the full url in initial referrer / referrer

[gaurav5430]

I can see that the initial referrer / referrer are capturing the full url which sometimes contains sensitive data as well. I would like to somehow filter / mask this information while mixpanel is capturing these urls. Is there a way to do so?

(I understand that properties can be blacklisted, but that is not what I want, I would still like to send the value, but with some part of the url masked or removed)

[tdumitrescu]

There's nothing specifically for the referrer properties, but as of v2.40.0 there are some generic "hooks" available that will let you transform data before it goes out over the network. You could use the before_send_events hook to modify the referrer properties arbitrarily:

mixpanel.init('my token', {
  hooks: {
    before_send_events: eventData => {
      eventData.properties.$initial_referrer &&= maskSensitiveData(eventData.properties.$initial_referrer);
      return eventData;
    },
  },
});

[gaurav5430]

thanks that sounds do-able

i am assuming this will only impact the track calls though, or does this impact the initial referrer saved in the cookie as well?

[tdumitrescu]

Yes, it only affects the network calls. If you're worried about the referrer value getting sent (again) to your servers via the cookie, you can opt for localStorage as the superproperty persistence mechanism instead.

[gaurav5430]

umm, sure, but I am also slightly worried about having this cookie / localstorage on a shared computer, where the next person can see the cookie / local storage and get the initial referrer url (which would automatically log the user in, in our setup)

[tdumitrescu]

Wow. so the first user also has to clear browser history to protect against session hijacking??

[gaurav5430]

not sure if the previous comment was sarcastic 😅

but yeah, we don't control the tokens that gets appended in the initial referrer url (consider it a 3rd party login, which just redirects to our app with a token in the url), and sometimes these tokens are not one time use. So effectively, if anyone can get that url with the token, they could just revisit the same url and get logged in as the previous user

what we do from our side as an added handling is that we replace the url with the post log in url (instead of pushing the post log in url) so it doesn't end up in browser history (atleast directly). This does not fix everything ofcourse and there are still ways to get the url, one of which is the automatic initial referrer url captured by mixpanel.

[gaurav5430]

also, as a last resort, I am assuming that mixpanel might be reading the initial referrer url information from document.referer which can be controlled by the referrer policy, so that only the domain gets captured and not the full url

[tdumitrescu]

Sure, we're not going to tell you how to architect your app, though I imagine a reusable token on the URL must cause a lot of security headaches. As you surmised, this SDK reads the referrer info out of document.referrer: https://github.com/mixpanel/mixpanel-js/blob/d3f7bc6059da60ce651adc6e4a1e79db7de2eaaa/src/mixpanel-core.js#L317-L319

Right now the only configuration options around it are to turn it off entirely ({save_referrer: false}). Since your original question was around modifying the value but not eliminating it, I think the option that offers you the most control is for you to turn off the automatic referrer collection and set the property yourselves:

mixpanel.init('my token', {save_referrer: false});
mixpanel.register_once({$initial_referrer: 'any arbitrary value'});