Skip to content

[SDK] Feature: Adds location to platform headers #7462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+4 −0
Open

[SDK] Feature: Adds location to platform headers #7462

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions packages/thirdweb/src/utils/fetch.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,10 @@ export function getPlatformHeaders() {
...(bundleId ? { "x-bundle-id": bundleId } : {}),
});

if (typeof window !== "undefined") {
previousPlatform.push(["x-sdk-location", window.location.href]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this feels a bit odd no? also make sure to handle location undefined as well for some platforms. RN actually can have a window but no location i think

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is it odd?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think it fits better as a param to the tracking event rather than a header to all requests

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we just add it to the trackPayEvent / trackConnectEvent for now?

}
Comment on lines +231 to +233
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

previousPlatform is cached once – subsequent navigations send a stale location.

Because getPlatformHeaders memoises previousPlatform, the location is captured only on the first call. In SPA contexts (Next.js, React Router, etc.) the user can navigate without a full reload, resulting in headers that no longer reflect the current page.
If accurate location is required per request, recalculate (or update) on every call instead of caching.

🤖 Prompt for AI Agents 
In packages/thirdweb/src/utils/fetch.ts around lines 231 to 233, the
previousPlatform array is memoized and captures window.location.href only once,
causing stale location headers on SPA navigations. To fix this, remove the
caching of previousPlatform so that the location header is recalculated or
updated on every call to getPlatformHeaders, ensuring the current page URL is
always sent in the headers.

⚠️ Potential issue

Potential PII/Security leakage by transmitting full URL (window.location.href).

href includes the full path, query string, and fragment. URLs often embed auth tokens, e-mails, wallet addresses, or other sensitive identifiers (e.g., ?jwt=…, #access_token=). Forwarding them verbatim in every request exposes that data to every thirdweb backend service, caching layers, logs, and potentially intermediaries.

-previousPlatform.push(["x-sdk-location", window.location.href]);
+// Safer: strip search params & hashes, or redact known sensitive keys
+const location = new URL(window.location.href);
+location.search = "";
+location.hash = "";
+previousPlatform.push(["x-sdk-location", location.toString()]);

At minimum, consider:
• Stripping query / fragment components.
• Whitelisting allowed origins instead of sending the full string.
• Gating this behind an explicit opt-in flag.

🤖 Prompt for AI Agents 
In packages/thirdweb/src/utils/fetch.ts around lines 231 to 233, avoid sending
the full URL from window.location.href as it may contain sensitive information
like tokens or personal data. Modify the code to strip out the query string and
fragment parts before pushing the URL, or alternatively only send the origin
(protocol + host). Consider adding an explicit opt-in flag to control whether
this location data is sent. This will prevent potential PII/security leakage in
requests.


return previousPlatform;
}

Expand Down
Loading