Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Struggling with using PostHog and Security Headers #976

Open
MathiasWP opened this issue Jan 28, 2024 · 3 comments
Open

Struggling with using PostHog and Security Headers #976

MathiasWP opened this issue Jan 28, 2024 · 3 comments

Comments

@MathiasWP
Copy link

MathiasWP commented Jan 28, 2024
edited

We're setting our Security Headers with Helmet.js' default values. PostHog is crashing because setting Cross-Origin-Embedder-Policy to require-corp requires the crossorigin attribute to be set to anonymous. How can this attribute be set on the PostHog scripts that are added during runtime?

Current workaround: Setting Cross-Origin-Embedder-Policy to credentialless, which is not ideal.

Screenshot of the error in Chrome:
Screenshot 2024-01-29 at 00 28 30
@MathiasWP MathiasWP changed the title Adding crossorigin to the PostHog script added by the library Struggling with using PostHog and Security Headers Jan 29, 2024
@pauldambra
Copy link
Member

Hey @MathiasWP

I've not used COEP before and just reading up here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#avoiding_coep_blockage_with_cors

If you enable COEP using require-corp and have a cross origin resource that needs to be loaded, it needs to support CORS and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP.

<img src="https://thirdparty.com/img.png" crossorigin />

eu.posthog.com should be sending the correct CORS headers, so I think this is "only" a request to add the crossorigin attribute to the appropriate script tags.

Does that sound right based on what you see with your site?

Is it only the toolbar.js that is affected for you?

@MathiasWP
Copy link
Author

MathiasWP commented Jan 30, 2024
edited

Hey @MathiasWP

I've not used COEP before and just reading up here developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#avoiding_coep_blockage_with_cors

If you enable COEP using require-corp and have a cross origin resource that needs to be loaded, it needs to support CORS and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP.

<img src="https://thirdparty.com/img.png" crossorigin />

eu.posthog.com should be sending the correct CORS headers, so I think this is "only" a request to add the crossorigin attribute to the appropriate script tags.

Does that sound right based on what you see with your site?

Is it only the toolbar.js that is affected for you?

To be honest, i am not sure if only adding crossorigin will solve this issue. The toolbar.js is affected, and i believe other scripts like recorder-v2.js are also affected. The response header of the script should have Cross-Origin-Resource-Policy set to same-site, same-origin, or cross-origin, which does not seem to be have set.

Let me know if there's any way i can help!

@MathiasWP
Copy link
Author

What's the status on this issue?

@alecmocatta alecmocatta mentioned this issue Apr 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pauldambra @MathiasWP