Rudderlabs sets cookie for whole domain

[dmke]

Summary

Rudderlabs cookies set on domain .example.com, not on mattermost.example.com.

Environment Information

• Webapp or React Native app: Webapp
• Mattermost Server Version: latest

Steps to reproduce

Install Mattermost on a server. Use a subdomain, e.g. https://mattermost.example.com. Visit that domain. Observe that the JS application (the 5MB main.js) sets two cookies, rl_user_id and rl_anonymous_id for the domain .example.com.

Now visit https://example.com, or https://gitlab.example.com. Observe the same cookies sent to these domains as well.

Bonus: have a development machine reachable at http://dev-42.vpn.example.com. Observe a lot of warnings for these cookies.

Expected behavior

The Rudderlabs cookies should only be set for mattermost.example.com.

Observed behavior

See above. The cookies are setup to be tracking cookies for the whole domain, including all subdomains.

Possible fixes

Confine Rudderlabs cookies to the (sub) domain Mattermost is installed on.

If that's not possible, remove Rudderlabs altogether.

[dmke]

More context:

We have setup a development domain (local.example.com and all its subdomains resolves to 127.0.0.1/::1). Running Mattermost on mattermost.example.com creates A LOT of noise in our dev tools:

This is really annoying because for each resource (font, image, stylesheet, Webpack chunk, API request, ...), I get two warnings (for the two rl_*_id cookies). The screenshot contains 2-3 screens full of warnings, masking the ones I do care for.

[coltoneshaw]

@dmke - Thanks for submitting this issue! I've opened an internal ticket to track this - MM-36643.