mattermost-redux
mattermost-redux copied to clipboard
mattermost
Rudderlabs sets cookie for whole domain
Summary
Rudderlabs cookies set on domain .example.com, not on mattermost.example.com.
Environment Information
- Webapp or React Native app: Webapp
- Mattermost Server Version: latest
Steps to reproduce
Install Mattermost on a server. Use a subdomain, e.g. https://mattermost.example.com. Visit that domain. Observe that the JS application (the 5MB main.js) sets two cookies, rl_user_id and rl_anonymous_id for the domain .example.com.
Now visit https://example.com, or https://gitlab.example.com. Observe the same cookies sent to these domains as well.
Bonus: have a development machine reachable at http://dev-42.vpn.example.com. Observe a lot of warnings for these cookies.
Expected behavior
The Rudderlabs cookies should only be set for mattermost.example.com.
Observed behavior
See above. The cookies are setup to be tracking cookies for the whole domain, including all subdomains.
Possible fixes
Confine Rudderlabs cookies to the (sub) domain Mattermost is installed on.
If that's not possible, remove Rudderlabs altogether.
More context:
We have setup a development domain (local.example.com and all its subdomains resolves to 127.0.0.1/::1). Running Mattermost on mattermost.example.com creates A LOT of noise in our dev tools:
This is really annoying because for each resource (font, image, stylesheet, Webpack chunk, API request, ...), I get two warnings (for the two rl_*_id cookies). The screenshot contains 2-3 screens full of warnings, masking the ones I do care for.
