[897] Heatmap whitelisting

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 22.06.2
+- ! Minor breaking change ! If no domain whitelist is provided for the heatmaps the SDK will fallback to your server url
+- Fixed a bug where heatmap files were susceptible to DOM XSS
+- Users can now input their domain whitelist for heatmaps feature during init
+
 ## 22.06.1
 - Added SDK calls to report Feedback widgets manually
 

README.md

@@ -27,7 +27,7 @@ or
 ### 3. Use a CDN (content delivery network)
 Countly web SDK is available on CDNJS. Use either
 
-[https://cdnjs.cloudflare.com/ajax/libs/countly-sdk-web/22.06.1/countly.min.js](https://cdnjs.cloudflare.com/ajax/libs/countly-sdk-web/22.06.1/countly.min.js)
+[https://cdnjs.cloudflare.com/ajax/libs/countly-sdk-web/22.06.2/countly.min.js](https://cdnjs.cloudflare.com/ajax/libs/countly-sdk-web/22.06.2/countly.min.js)
 
 or
 

lib/countly.js

@@ -175,7 +175,7 @@
     */
     Countly.onload = Countly.onload || [];
 
-    var SDK_VERSION = "22.06.1";
+    var SDK_VERSION = "22.06.2";
     var SDK_NAME = "javascript_native_web";
 
     var urlParseRE = /^(((([^:\/#\?]+:)?(?:(\/\/)((?:(([^:@\/#\?]+)(?:\:([^:@\/#\?]+))?)@)?(([^:\/#\?\]\[]+|\[[^\/\]@#?]+\])(?:\:([0-9]+))?))?)?)?((\/?(?:[^\/\?#]+\/+)*)([^\?#]*)))?(\?[^#]+)?)(#.*)?/;
@@ -278,6 +278,7 @@
             this.maxBreadcrumbCount = getConfig("max_breadcrumb_count", ob, null);
             this.maxStackTraceLinesPerThread = getConfig("max_stack_trace_lines_per_thread", ob, configurationDefaultValues.MAX_STACKTRACE_LINES_PER_THREAD);
             this.maxStackTraceLineLength = getConfig("max_stack_trace_line_length", ob, configurationDefaultValues.MAX_STACKTRACE_LINE_LENGTH);
+            this.heatmapWhitelist = getConfig("heatmap_whitelist", ob, []);
 
             if (maxCrashLogs && !this.maxBreadcrumbCount) {
                 this.maxBreadcrumbCount = maxCrashLogs;
@@ -341,11 +342,25 @@
                         setToken(this.passed_data.token);
                         setValueInStorage("cly_old_token", this.passed_data.token);
                     }
-                    this.passed_data.url = this.passed_data.url || this.url;
-                    if (this.passed_data.purpose === "heatmap") {
-                        this.ignore_visitor = true;
-                        showLoader();
-                        loadJS(this.passed_data.url + "/views/heatmap.js", hideLoader);
+                    var strippedList = [];
+                    // if whitelist is provided is an array
+                    if (Array.isArray(this.heatmapWhitelist)) {
+                        this.heatmapWhitelist.push(this.url);
+                        strippedList = this.heatmapWhitelist.map(function(e) {
+                            // remove trailing slashes from the entries
+                            return stripTrailingSlash(e);
+                        });
+                    }
+                    else {
+                        strippedList = [this.url];
+                    }
+                    // if the passed url is in the whitelist proceed
+                    if (strippedList.includes(this.passed_data.url)) {
+                        if (this.passed_data.purpose === "heatmap") {
+                            this.ignore_visitor = true;
+                            showLoader();
+                            loadJS(this.passed_data.url + "/views/heatmap.js", hideLoader);
+                        }
                     }
                 }
             }
@@ -394,6 +409,10 @@
             if (this.test_mode) {
                 log(logLevelEnums.WARNING, "initialize, test_mode:[" + this.test_mode + "], queues won't be processed");
             }
+            // if test mode is enabled warn the user
+            if (this.heatmapWhitelist) {
+                log(logLevelEnums.DEBUG, "initialize, heatmap whitelist:[" + JSON.stringify(this.heatmapWhitelist) + "], these domains will be whitelisted");
+            }
             // if storage is se to something other than local storage
             if (this.storage !== "default") {
                 log(logLevelEnums.DEBUG, "initialize, storage is set to:[" + this.storage + "]");
@@ -4285,6 +4304,7 @@
      * @param {boolean} [conf.utm={"source":true, "medium":true, "campaign":true, "term":true, "content":true}] - Object instructing which UTM parameters to track
      * @param {boolean} [conf.use_session_cookie=true] - Use cookie to track session
      * @param {boolean} [conf.enable_orientation_tracking=true] - Enables orientation tracking at the start of a session
+     * @param {array=} [conf.heatmap_whitelist=[]] - array with trustable domains for heatmap reporting
      * @param {number} [conf.session_cookie_timeout=30] - How long till cookie session should expire in minutes
      * @param {boolean|function} [conf.remote_config=false] - Enable automatic remote config fetching, provide callback function to be notified when fetching done
      * @param {string=} [conf.namespace=""] - Have separate namespace of of persistent data
@@ -4448,8 +4468,10 @@
      *  @returns {String} modified string
      */
     function stripTrailingSlash(str) {
-        if (str.substr(str.length - 1) === "/") {
-            return str.substr(0, str.length - 1);
+        if (typeof str === "string") {
+            if (str.substring(str.length - 1) === "/") {
+                return str.substring(0, str.length - 1);
+            }
         }
         return str;
     }