Whitelist to track only intended websites

[tobiasc]

It would be nice with a whitelist where I could whitelist domains eg. *.companyA.com, such that only requests coming from that domain would be tracked. I'm sure this could be achieved in other ways too, so that just a suggestion. Specifically in our case, we removed MixPanel from the browser and is using a server-side proxy to get around this potential security hole.

It's simple to add MixPanel into any website and initialize it with you public token. This public token is obviously public and super easy to grab for any developer/hacker. This could then be used to replay any tracking action as many times as desired to invalidate the tracking.

Say you're an analyst at companyA.com and is using MixPanel to A/B test your newest and sometimes crazy feature ideas. Your competitor shadyCompetitorB.com knows that you occasionally do A/B testing and that you're using MixPanel. Whenever shadyCompetitorB.com notices a crazy feature they consider weird, they'll find the MixPanel event that tracks that event and replay that a lot, causing your A/B testing to be invalidated without you knowing.

[hagaigold]

@tobiasc did you find a solution for that except of routing through BE server?