[SDK] Feature: Adds location to platform headers

[gregfromstl]

Also see https://github.com/thirdweb-dev/client-analytics/pull/63

---

PR-Codex overview

This PR adds a check to ensure that the code runs only in a browser environment, allowing it to safely access window.location.href and push its value to the previousPlatform array.

Detailed summary

• Added a condition to check if window is defined.
• If true, the current URL (window.location.href) is pushed to the previousPlatform array with the key "x-sdk-location".

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features
  • The app now includes the current browser URL as a platform header when used in a browser environment.

[linear]

TOOL-4903 Add Path and SDK Version to UB Widget Events

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8901169

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs-v2	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 27, 2025 6:29pm
nebula	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 27, 2025 6:29pm
thirdweb_playground	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 27, 2025 6:29pm
thirdweb-www	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 27, 2025 6:29pm
wallet-ui	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 27, 2025 6:29pm

[coderabbitai]

Walkthrough

The getPlatformHeaders function in the fetch utility was updated to include the current browser URL as a header (x-sdk-location) when executed in a browser environment. No other logic or exported declarations were changed.

Changes

File	Change Summary
packages/thirdweb/src/utils/fetch.ts	Modified getPlatformHeaders to append x-sdk-location header with window.location.href if in browser.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant fetch.ts (getPlatformHeaders)
    alt Browser environment
        fetch.ts -> window: Access location.href
        fetch.ts -> Caller: Return headers + x-sdk-location
    else Non-browser environment
        fetch.ts -> Caller: Return headers (unchanged)
    end

Loading

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e814248 and 8901169.

📒 Files selected for processing (1)

• packages/thirdweb/src/utils/fetch.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

`**/*.@(ts|tsx)`: Accept a typed 'props' object and export a named function (e.g...

**/*.@(ts|tsx): Accept a typed 'props' object and export a named function (e.g., export function MyComponent()).
Combine class names via 'cn', expose 'className' prop if useful.
Reuse core UI primitives; avoid re-implementing buttons, cards, modals.
Local state or effects live inside; data fetching happens in hooks.
Merge class names with 'cn' from '@/lib/utils' to keep conditional logic readable.
Stick to design-tokens: background ('bg-card'), borders ('border-border'), muted text ('text-muted-foreground') etc.
Use the 'container' class with a 'max-w-7xl' cap for page width consistency.
Spacing utilities ('px-', 'py-', 'gap-*') are preferred over custom margins.
Responsive helpers follow mobile-first ('max-sm', 'md', 'lg', 'xl').
Never hard-code colors – always go through Tailwind variables.
Tailwind CSS is the styling system – avoid inline styles or CSS modules.
Prefix files with 'import "server-only";' so they never end up in the client bundle (for server-only code).

📄 Source: CodeRabbit Inference Engine (.cursor/rules/dashboard.mdc)

List of files the instruction was applied to:

• packages/thirdweb/src/utils/fetch.ts

⏰ Context from checks skipped due to timeout of 90000ms (8)

• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: Unit Tests
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Size
• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: Lint Packages
• GitHub Check: Build Packages
• GitHub Check: Analyze (javascript)

[coderabbitai]

🛠️ Refactor suggestion

previousPlatform is cached once – subsequent navigations send a stale location.

Because getPlatformHeaders memoises previousPlatform, the location is captured only on the first call. In SPA contexts (Next.js, React Router, etc.) the user can navigate without a full reload, resulting in headers that no longer reflect the current page.
If accurate location is required per request, recalculate (or update) on every call instead of caching.

🤖 Prompt for AI Agents

In packages/thirdweb/src/utils/fetch.ts around lines 231 to 233, the
previousPlatform array is memoized and captures window.location.href only once,
causing stale location headers on SPA navigations. To fix this, remove the
caching of previousPlatform so that the location header is recalculated or
updated on every call to getPlatformHeaders, ensuring the current page URL is
always sent in the headers.

---

⚠️ Potential issue

Potential PII/Security leakage by transmitting full URL (window.location.href).

href includes the full path, query string, and fragment. URLs often embed auth tokens, e-mails, wallet addresses, or other sensitive identifiers (e.g., ?jwt=…, #access_token=). Forwarding them verbatim in every request exposes that data to every thirdweb backend service, caching layers, logs, and potentially intermediaries.

-previousPlatform.push(["x-sdk-location", window.location.href]);
+// Safer: strip search params & hashes, or redact known sensitive keys
+const location = new URL(window.location.href);
+location.search = "";
+location.hash = "";
+previousPlatform.push(["x-sdk-location", location.toString()]);

At minimum, consider:
• Stripping query / fragment components.
• Whitelisting allowed origins instead of sending the full string.
• Gating this behind an explicit opt-in flag.

🤖 Prompt for AI Agents

In packages/thirdweb/src/utils/fetch.ts around lines 231 to 233, avoid sending
the full URL from window.location.href as it may contain sensitive information
like tokens or personal data. Modify the code to strip out the query string and
fragment parts before pushing the URL, or alternatively only send the origin
(protocol + host). Consider adding an explicit opt-in flag to control whether
this location data is sent. This will prevent potential PII/security leakage in
requests.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	63.15 KB (+0.07% 🔺)	1.3 s (+0.07% 🔺)	316 ms (+103.14% 🔺)	1.6 s
thirdweb (cjs)	352.98 KB (+0.11% 🔺)	7.1 s (+0.11% 🔺)	1.3 s (+1.33% 🔺)	8.3 s
thirdweb (minimal + tree-shaking)	5.74 KB (+0.31% 🔺)	115 ms (+0.31% 🔺)	95 ms (+834.96% 🔺)	210 ms
thirdweb/chains (tree-shaking)	530 B (0%)	11 ms (0%)	68 ms (+1685.47% 🔺)	78 ms
thirdweb/react (minimal + tree-shaking)	19.6 KB (+0.08% 🔺)	393 ms (+0.08% 🔺)	184 ms (+758.63% 🔺)	576 ms

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 51.92%. Comparing base (e814248) to head (8901169).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7462   +/-   ##
=======================================
  Coverage   51.92%   51.92%           
=======================================
  Files         947      947           
  Lines       63932    63935    +3     
  Branches     4216     4218    +2     
=======================================
+ Hits        33194    33197    +3     
  Misses      30632    30632           
  Partials      106      106           

Flag	Coverage Δ
packages	51.92% <100.00%> (+<0.01%)	⬆️

Files with missing lines	Coverage Δ
packages/thirdweb/src/utils/fetch.ts	82.97% <100.00%> (+0.27%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[joaquim-verges]

this feels a bit odd no? also make sure to handle location undefined as well for some platforms. RN actually can have a window but no location i think

[gregfromstl]

How is it odd?

[joaquim-verges]

i think it fits better as a param to the tracking event rather than a header to all requests

[joaquim-verges]

can we just add it to the trackPayEvent / trackConnectEvent for now?