Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mark embedded resources as cross-origin for session recordings. #21697

Open
Bertie2011 opened this issue Apr 20, 2024 · 1 comment
Open

Mark embedded resources as cross-origin for session recordings. #21697

Bertie2011 opened this issue Apr 20, 2024 · 1 comment
Labels
feature/replay Features for Team Replay

Comments

@Bertie2011
Copy link

Bertie2011 commented Apr 20, 2024

Bug description

While building my web app I want to take security seriously. In the OWASP recommended security headers it says to specify Cross-Origin-Embedder-Policy: require-corp. This entails that embedded resources cannot be loaded unless either the server (PostHog servers) set Cross-Origin-Resource-Policy: cross-origin OR the client library must set the crossorigin attribute on any HTML elements that tries embedding something. This last option means that requests will be made without "credentials" (e.g. cookies).

Right now I can't use PostHog session recordings without allowing ALL (implicit) cross-origin embeds.

Some might argue that the chances of somebody injecting and embedding a malicious URL in the age of built-in HTML escaping and URL sanitizers are low, but I'd also think the same for most of the other points in OWASP Top 10 and yet people fail at it enough times for this recommendation to end up in a top 10.

Error Message (and URL):
GET https://eu-assets.i.posthog.com/static/recorder.js?v=1.128.1 net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200 (OK)

How to reproduce

  1. Create a PostHog project.
  2. Copy the install script.
  3. Enable Session recording.
  4. Ensure your server sets
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy same-origin

Note, if a Content-Security-Policy is set, the frame-src also needs to be configured to allow posthog sources. This is already in my control though, the other two conditions in the first paragraph are not.

Debug info

- [x] PostHog Cloud
- [ ] PostHog Hobby self-hosted with `docker compose`, version/commit: [please provide]
- [ ] PostHog self-hosted with Kubernetes (deprecated, see [`Sunsetting Kubernetes support`](https://posthog.com/blog/sunsetting-helm-support-posthog)), version/commit: [please provide]
@Bertie2011 Bertie2011 added the bug Something isn't working right label Apr 20, 2024
@MarconLP MarconLP added the feature/replay Features for Team Replay label Apr 21, 2024
@pauldambra pauldambra removed the bug Something isn't working right label Apr 24, 2024
@marandaneto
Copy link
Member

rrweb-io/rrweb#1433 helps with CORS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature/replay Features for Team Replay
Development

No branches or pull requests

4 participants