Open revmischa opened 1 month ago
tdumitrescu
commented
1 month ago Thanks for bringing this up. I take it you're installing via npm and bundling the sdk with the rest of your code (e.g. import mixpanel from 'mixpanel-browser')? Since the main "HTML script snippet"-based loader has always done this style of async script-loading from our CDN. We're looking into providing bundle-ready builds that don't have this behavior.
revmischa
commented
1 month ago Yeah I'm using webpack to build my extension. For now I am trying to work around it with:
// remove remote code loading
{
test: /mixpanel-browser.*\.js$/,
use: [
{
loader: resolve(webpackExtSrcDir, "webpack", "mixpanelNoop-loader.js"),
},
],
},
// this replaces the remote code loading in mixpanel so our extension doesn't anger chrome webstore reviewers
export default function (source) {
const noopFunction = "MixpanelLib.prototype.start_session_recording = function() {};";
return source.replace(
/MixpanelLib\.prototype\.start_session_recording = addOptOutCheckMixpanelLib\(function\s*\(\)\s*\{([\s\S]*?)\}\);/,
noopFunction
);
}But it's not ideal
a-bormark
commented
4 days ago Same issue. Is there any options to opt-out from adding recorder. It's in beta anyways and is available on Enterprise plan only.
Your suggestions?
I have been using mixpanel-browser in my chrome extension for some time, it's included in content scripts which are injected into pages along with our UI and features and we use mixpanel to track their usage.
After upgrading to a recent mixpanel-browser version, we're unable to get our extension approved now because of remote code inclusion of mixpanel-recorder.min.js:
I believe caused by this behavior: https://github.com/mixpanel/mixpanel-js/blob/34b4396de534e4f5cf4b5cac80afd14a8322ce1f/src/mixpanel-core.js#L380 Added in https://github.com/mixpanel/mixpanel-js/commit/4b2d17314efd0c222ead912a451fc56e74f2bfe3
I'm not sure what can be done about this other than rolling back to an older version of mixpanel-browser. I don't need session recording just event tracking. Ideally there would be a version of this library that does not include remote code execution.