Make first-party integration URLs root-relative#819
Conversation
The GPT, DataDome, Permutive, Lockr, and Sourcepoint attribute rewriters
rewrote a publisher's `<script src>` / `<link href>` to an absolute first-party
URL built from `request_host`, e.g. `https://{request_host}/integrations/gpt/script`.
When the host that reaches the program isn't the page's host — behind a
host-rewriting dev proxy, or any deployment where `request_host` resolves to the
routing host rather than the production domain — those URLs leak the wrong host
into the page (e.g. `https://ts.example.com/integrations/...` while the address
bar shows `www.example.com`).
Emit them root-relative (`/integrations/...`) instead, so the browser resolves
them against the page's own host. This is correct both in production and behind
a proxy, removes the dependency on `request_host`/`X-Forwarded-Host` derivation,
and matches what GTM, Didomi, Testlight, and these integrations' own inline-script
rewriters already do.
Audited every integration: these five were the only page-facing first-party URLs
built from a host. NextJS RSC/flight payload rewriting stays absolute (those URLs
are intentional). The DataDome protection module's raw-`Host` read is server-side
(validation API body), not page-facing, and is left as-is. Tests updated to
assert the root-relative form.
ChristianPavilonis
left a comment
There was a problem hiding this comment.
Automated review: I reviewed the root-relative integration URL changes for GPT, DataDome, Lockr, Permutive, and Sourcepoint. I did not find any blocking correctness, security, data-loss, authorization, or severe compatibility issues. CI is passing. I left one non-blocking compatibility comment about <base href> semantics because root-relative attribute URLs are still resolved against the document base URL, not always the address-bar origin.
ChristianPavilonis
left a comment
There was a problem hiding this comment.
Review Summary
Approved. I reviewed the root-relative first-party integration URL change and did not find any blocker/high/medium correctness, security, or compatibility issues beyond the already-noted <base href> edge case.
Findings
P3 / Low
crates/trusted-server-core/src/integrations/datadome.rs:55— DataDome module docs still show the old absolute rewrite output (https://publisher.com/integrations/datadome/tags.js). Please update the example to the new root-relative form (/integrations/datadome/tags.js) when convenient.
|
Addressed review feedback in 38aee53:
Comment/doc-only change; |
Keep the branch's evolved tree (fastly 0.12, worker 0.8, edgezero ce6bcf74, Spin adapter), which already supersedes main's PR16/PR18 content carried via the stack's merge history. Incorporate main's two new fixes that the branch lacked: - #819 root-relative first-party integration URLs (datadome, gpt, lockr, permutive, sourcepoint) - #822 Sourcepoint first-party consent iframe/same-origin guard Auto-merge picked main's older fastly-0.11 TLS code for the fastly adapter (main.rs, platform.rs, route_tests.rs); restore the branch versions so the get_tls_protocol/cipher calls match the locked fastly 0.12 API. Verified: cargo check-{fastly,cloudflare,axum,spin} --locked all pass.
Closes #820
Problem
The GPT, DataDome, Permutive, Lockr, and Sourcepoint attribute rewriters rewrite a publisher's
<script src>/<link href>to an absolute first-party URL built fromrequest_host:ctx.request_hostis the host TS derived for the request (extract_request_host→Host/X-Forwarded-Host). When that isn't the page's own host, these URLs leak the wrong host into the HTML — e.g. the page rendershttps://ts.example.com/integrations/gpt/scriptwhile the address bar showswww.example.com. This shows up behind a host-rewriting dev proxy, and anywhererequest_hostresolves to the routing host rather than the production domain.Fix
Emit these URLs root-relative (
/integrations/...) so the browser resolves them against the page's own host:Correct both in production and behind a proxy, and it removes the dependency on
request_host/X-Forwarded-Hostderivation entirely. This matches what GTM, Didomi, Testlight, and these integrations' own inline-script rewriters already do.Scope — full integration audit
Audited every integration's page-facing URL emission (attribute rewriters, head injectors, inline-script rewriters, config-rendered URLs):
request_host)client_side_tag_url(default), sourcepoint trap prefixHostread (validation API body)These five were the only page-facing first-party URLs built from a host.
Tests
Unit tests asserting the old absolute form updated to the root-relative form (no weakening).
cargo fmt,cargo clippy --workspace --all-targets --all-features -D warnings, andcargo test --workspaceall pass.