rrweb-io / rrweb

record and replay the web
https://www.rrweb.io/
MIT License
16.84k stars 1.44k forks source link

[Bug]: Using RRWeb in chrome extension results in obfuscated code #1578

Open nuwansamaware opened 1 month ago

nuwansamaware commented 1 month ago

Preflight Checklist

What package is this bug report for?

rrweb

Version

2.0.0-alpha.14

Expected Behavior

I am using rrweb in my chrome extension, and I am not using any minification compiling my extension. However, the output js contains following coming from rrweb usage: const encodedJs = "KGZ1bmN0aW9uKCkgewogICJ1c2Ugc3RyaWN0IjsKIC

This is causing chrome web store to reject my extension - which says there cannot be obfuscated code. Any idea how I can resolve this and use rrweb in my extension.

I have attached the decoded version of the code that the above encodedJs refers to. decoded_bitmap.txt

Actual Behavior

When compiled, not to have obfuscated portions of code.

Steps to Reproduce

Include rrweb in extension. Compile. Check the output code

Testcase Gist URL

No response

Additional Information

No response

pauldambra commented 1 month ago

+1 numerous reports of this from folk too we spoke to google dev rel, and it's not a thing they can/will ignore

ebloom19 commented 4 weeks ago

Hey guys I am not sure if this helps at all but I also use Sentry in my Chrome Extension and their "Replay" feature (which also uses the rrweb package) seems to work fine in my extension without google flagging it for obfuscated code.

They seem to be using their own forked version I think?

Check out the packages they use: https://github.com/getsentry/sentry/blob/ef56dcdb29f0ec074fc68acc865cf168c5d043af/package.json#L57

This is the rrweb npm package they seem to be using: @sentry-internal/rrweb https://www.npmjs.com/package/@sentry-internal/rrweb

This is their own forked version of rrweb: https://github.com/getsentry/rrweb

https://blog.sentry.io/sentry-bundle-size-how-we-reduced-replay-sdk-by-35/

Possibly there could be something there that may help with Posthog's solution?

pauldambra commented 4 weeks ago

Hey @ebloom19,

Sentry by default don't include the canvas recording code in their forked build. My guess is that if you included the Sentry canvas recording integration and used Sentry's replay then Google would block that too - assuming they're including the same "obfuscated" rrweb code when canvas replay is enabled

seawatts commented 2 weeks ago

@pauldambra thanks for looking into this and contacting Google. Is there anyway the code would be able to be changed in order for this to get published? Or is there a way to just exclude part of the posthog lib for chrome extensions?

pauldambra commented 2 weeks ago

hey @seawatts

i appreciate this seems slow to resolve it's unfortunately a pretty fiddly set of changes

it's not possible to run session replay without the canvas recording code at the moment. we are making changes to accommodate this but unfortunately it's such an underlying component that we need to go slowly

seawatts commented 2 weeks ago

Thanks @pauldambra for the prompt response. I'll be submitting my extension without this for now. I'll keep an eye out for changes.

nuwansamaware commented 2 weeks ago

I am using rrweb in my extension: TestChimp: https://chromewebstore.google.com/detail/testchimp-create-api-auto/ailhophdeloancmhdklbbkobcbbnbglm.

How I resolved: After running npx webpack, I manually copy paste the un-encoded code equivalent to the encoded portion.

Attached is the code that needs to be replaced and the replacement code. code_to_replace.txt replacement-code.txt

seawatts commented 6 days ago

Thanks @nuwansamaware That looks like it's a viable solution. However that doesn't seem to be the same code that I'm seeing that is getting obfuscated. My code starts with KGZ1bmN0aW9uKCkgewogICJ1c2Ugc3RyaWN0IjsKICB2YXIgY2hhcnM