Remote code inclusion (mixpanel-recorder.min.js)

[revmischa]

I have been using mixpanel-browser in my chrome extension for some time, it's included in content scripts which are injected into pages along with our UI and features and we use mixpanel to track their usage.

After upgrading to a recent mixpanel-browser version, we're unable to get our extension approved now because of remote code inclusion of mixpanel-recorder.min.js:

I believe caused by this behavior:

mixpanel-js/src/mixpanel-core.js

Line 380 in 34b4396

scriptEl.src = this.get_config('recorder_src');

Added in 4b2d173

I'm not sure what can be done about this other than rolling back to an older version of mixpanel-browser. I don't need session recording just event tracking.
Ideally there would be a version of this library that does not include remote code execution.

[tdumitrescu]

Thanks for bringing this up. I take it you're installing via npm and bundling the sdk with the rest of your code (e.g. import mixpanel from 'mixpanel-browser')? Since the main "HTML script snippet"-based loader has always done this style of async script-loading from our CDN. We're looking into providing bundle-ready builds that don't have this behavior.

[revmischa]

Yeah I'm using webpack to build my extension. For now I am trying to work around it with:

 // remove remote code loading
      {
        test: /mixpanel-browser.*\.js$/,
        use: [
          {
            loader: resolve(webpackExtSrcDir, "webpack", "mixpanelNoop-loader.js"),
          },
        ],
      },

// this replaces the remote code loading in mixpanel so our extension doesn't anger chrome webstore reviewers
export default function (source) {
  const noopFunction = "MixpanelLib.prototype.start_session_recording = function() {};";
  return source.replace(
    /MixpanelLib\.prototype\.start_session_recording = addOptOutCheckMixpanelLib\(function\s*\(\)\s*\{([\s\S]*?)\}\);/,
    noopFunction
  );
}

But it's not ideal

[a-bormark]

Same issue. Is there any options to opt-out from adding recorder. It's in beta anyways and is available on Enterprise plan only.

Your suggestions?

[vittoriohalfon]

Same issue here - please do let me know if it is possible to opt out from recorder. Chrome Web Store is not happy with RHC...

[vittoriohalfon]

Yeah I'm using webpack to build my extension. For now I am trying to work around it with:

 // remove remote code loading
      {
        test: /mixpanel-browser.*\.js$/,
        use: [
          {
            loader: resolve(webpackExtSrcDir, "webpack", "mixpanelNoop-loader.js"),
          },
        ],
      },

// this replaces the remote code loading in mixpanel so our extension doesn't anger chrome webstore reviewers
export default function (source) {
  const noopFunction = "MixpanelLib.prototype.start_session_recording = function() {};";
  return source.replace(
    /MixpanelLib\.prototype\.start_session_recording = addOptOutCheckMixpanelLib\(function\s*\(\)\s*\{([\s\S]*?)\}\);/,
    noopFunction
  );
}

But it's not ideal

Did this fix let you bypass chrome web store review? I've already been rejected due to mixpanel once. Wouldn't want to get rejected again :)

[revmischa]

Yeah I'm using webpack to build my extension. For now I am trying to work around it with:

 // remove remote code loading
      {
        test: /mixpanel-browser.*\.js$/,
        use: [
          {
            loader: resolve(webpackExtSrcDir, "webpack", "mixpanelNoop-loader.js"),
          },
        ],
      },

// this replaces the remote code loading in mixpanel so our extension doesn't anger chrome webstore reviewers
export default function (source) {
  const noopFunction = "MixpanelLib.prototype.start_session_recording = function() {};";
  return source.replace(
    /MixpanelLib\.prototype\.start_session_recording = addOptOutCheckMixpanelLib\(function\s*\(\)\s*\{([\s\S]*?)\}\);/,
    noopFunction
  );
}

But it's not ideal

Did this fix let you bypass chrome web store review? I've already been rejected due to mixpanel once. Wouldn't want to get rejected again :)

It removed the remote code loading and they seemed happy with it

[vittoriohalfon]

This script wasn't fully working out for me for some reason.
I reverted back to mixpanel version 2.49.0 (version before recording feature was released).

Hope Chrome Web reviewers will be happy with it.

[rahulbansal16]

Same issue with me. I am also reverting to 2.49. Thanks.
written via DictationDaddy.

[NickMihaiu91]

I've had the same issue. Google views the remote code loading of mixpanel-recorder.min.js as a violation and I can't get my extension approved.
This is a blocking issue, please look into it.

@rahulbansal16 @vittoriohalfon did you get approved using version 2.49? Thank you

[vittoriohalfon]

Yes, extension got approved when reverting to MixPanel Version 2.49.0
@NickMihaiu91

[ElinaBahirova]

My extension got rejected even after reverting to MixPanel Version 2.49.0
Violating content: Code snippet: assets/index.js: "https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js"

[tdumitrescu]

@ElinaBahirova there are no references to mixpanel-recorder.min.js in v2.49.0, none of that code had landed yet: https://github.com/mixpanel/mixpanel-js/tree/v2.49.0

[vittoriohalfon]

@ElinaBahirova are you sure you re-built the chrome extension after reverting to mixpanel v2.49.0?

[tdumitrescu]

Anyway though, the latest release 2.54.0 now provides several build options for including/unincluding the session-recording bundle. From the release notes:

The SDK is now provided in several new builds with different options around included modules and asynchronous loading:

1. Core mixpanel build with bundled mixpanel-recorder session-recording module (default):

import mixpanel from 'mixpanel-browser';

2. Core mixpanel build that optionally loads mixpanel-recorder asynchronously via script tag (previous default):

import mixpanel from 'mixpanel-browser/src/loaders/loader-module-with-async-recorder';

3. Core mixpanel build only (no session recording available):

import mixpanel from 'mixpanel-browser/src/loaders/loader-module-core';

Of the above options, 1 and 3 should both take care of the "remotely hosted code" violation. (In 1, the session-recording module is included in the main bundle rather than loaded asynchronously; in 3, it is not included at all and cannot be loaded)

You can also import the pre-built bundles directly if you don't want to run mixpanel-browser source through your bundler:

import mixpanel from 'mixpanel-browser/dist/mixpanel-core.cjs';

[tamzinselvi]

I followed the above comment to a tee, and still have the chrome store reporting the exact same issue. Taking a look at the mixpanel-core.cjs file, it still has references to the session recording script and seemingly the capability to load it, which seems to be failing Google Chrome Dev Store's static analysis on our built project. Can all references to session recording be pulled from the core?

v2.55.0 FYI

[tdumitrescu]

Thanks for the report. There's no script-loading code in https://github.com/mixpanel/mixpanel-js/blob/v2.55.0/dist/mixpanel-core.cjs.js (except for the JSONP tracking code which has been there forever). Are you getting the exact same violation report as in the first comment on this issue?

[tamzinselvi]

Yes - but as you can see on this line: https://github.com/mixpanel/mixpanel-js/blob/v2.55.0/dist/mixpanel-core.cjs.js#L4470 - the capability is still included, and this is causing the static analysis that Chrome Store's team is doing on submission to automatically reject our submission with the following note:

Violation:
Including remotely hosted code in a Manifest V3 item.
Violating Content:
Code snippet: assets/index.js: https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js

[shershen08]

2 days ago got the Chrome store rejection again with 2.49.0 version of the plugin ...

[surtic86]

With the newest Version 2.56.0 i get again the Blue Argon Warning from Chrome Webstore.

Code-Snippet: content.js: https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js

And im already using the

import mixpanel from 'mixpanel-browser/src/loaders/loader-module-core'; // new without recorder stuff