feat: first-party mode #577
Conversation
Combined commits: - fix(plausible): use consistent window reference in clientInit stub
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
harlan-zw
force-pushed
the
feat/proxy-scripts
branch
from
e33eaf5 to
64ac9b2
Compare
- Add `scripts.firstParty` config option to route scripts through your domain - Download scripts at build time and rewrite collection URLs to local paths - Inject Nitro route rules to proxy requests to original endpoints - Privacy benefits: hides user IPs, eliminates third-party cookies - Add `proxy` field to RegistryScript type to mark supported scripts - Deprecate `bundle` option in favor of unified `firstParty` config - Add comprehensive unit tests and documentation Co-Authored-By: Claude Opus 4.5 <[email protected]>
harlan-zw
force-pushed
the
feat/proxy-scripts
branch
from
64ac9b2 to
7ef19de
Compare
harlan-zw
changed the title
harlan-zw
changed the title
commit: |
| const firstPartyOption = scriptOptions?.value.properties?.find((prop) => { | ||
| return prop.type === 'Property' && prop.key?.name === 'firstParty' && prop.value.type === 'Literal' | ||
| }) | ||
| const firstPartyOptOut = firstPartyOption?.value.value === false |
There was a problem hiding this comment.
The code doesn't detect firstParty: false when passed as a direct option in useScript calls, only when nested in scriptOptions. Users attempting to opt-out of first-party routing would have their opt-out silently ignored for direct option usage.
View Details
π Patch Details
diff --git a/src/plugins/transform.ts b/src/plugins/transform.ts
index 98e3aeb..95d3176 100644
--- a/src/plugins/transform.ts
+++ b/src/plugins/transform.ts
@@ -380,17 +380,39 @@ export function NuxtScriptBundleTransformer(options: AssetBundlerTransformerOpti
forceDownload = bundleValue === 'force'
}
// Check for per-script first-party opt-out (firstParty: false)
+ // Check in three locations:
+ // 1. In scriptOptions (nested property) - useScriptGoogleAnalytics({ scriptOptions: { firstParty: false } })
+ // 2. In the second argument for direct options - useScript('...', { firstParty: false })
+ // 3. In the first argument's direct properties - useScript({ src: '...', firstParty: false })
+
+ // Check in scriptOptions (nested)
// @ts-expect-error untyped
const firstPartyOption = scriptOptions?.value.properties?.find((prop) => {
return prop.type === 'Property' && prop.key?.name === 'firstParty' && prop.value.type === 'Literal'
})
- const firstPartyOptOut = firstPartyOption?.value.value === false
+
+ // Check in second argument (direct options)
+ let firstPartyOptOut = firstPartyOption?.value.value === false
+ if (!firstPartyOptOut && node.arguments[1]?.type === 'ObjectExpression') {
+ const secondArgFirstPartyProp = (node.arguments[1] as ObjectExpression).properties.find(
+ (p: any) => p.type === 'Property' && p.key?.name === 'firstParty' && p.value.type === 'Literal'
+ )
+ firstPartyOptOut = (secondArgFirstPartyProp as any)?.value.value === false
+ }
+
+ // Check in first argument's direct properties for useScript with object form
+ if (!firstPartyOptOut && node.arguments[0]?.type === 'ObjectExpression') {
+ const firstArgFirstPartyProp = (node.arguments[0] as ObjectExpression).properties.find(
+ (p: any) => p.type === 'Property' && p.key?.name === 'firstParty' && p.value.type === 'Literal'
+ )
+ firstPartyOptOut = (firstArgFirstPartyProp as any)?.value.value === false
+ }
if (canBundle) {
const { url: _url, filename } = normalizeScriptData(src, options.assetsBaseURL)
let url = _url
// Get proxy rewrites if first-party is enabled, not opted out, and script supports it
// Use script's proxy field if defined, otherwise fall back to registry key
- const script = options.scripts.find(s => s.import.name === fnName)
+ const script = options.scripts?.find(s => s.import.name === fnName)
const proxyConfigKey = script?.proxy !== false ? (script?.proxy || registryKey) : undefined
const proxyRewrites = options.firstPartyEnabled && !firstPartyOptOut && proxyConfigKey && options.firstPartyCollectPrefix
? getProxyConfig(proxyConfigKey, options.firstPartyCollectPrefix)?.rewrite
diff --git a/test/unit/transform.test.ts b/test/unit/transform.test.ts
index 8d317e0..cc1e578 100644
--- a/test/unit/transform.test.ts
+++ b/test/unit/transform.test.ts
@@ -1280,4 +1280,84 @@ const _sfc_main = /* @__PURE__ */ _defineComponent({
expect(code).toContain('bundle.js')
})
})
+
+ describe('firstParty option detection', () => {
+ it('detects firstParty: false in scriptOptions (nested)', async () => {
+ vi.mocked(hash).mockImplementationOnce(() => 'analytics')
+ const code = await transform(
+ `const instance = useScriptGoogleAnalytics({
+ id: 'GA_MEASUREMENT_ID',
+ scriptOptions: { firstParty: false, bundle: true }
+ })`,
+ {
+ defaultBundle: false,
+ firstPartyEnabled: true,
+ firstPartyCollectPrefix: '/_scripts/c',
+ scripts: [
+ {
+ scriptBundling() {
+ return 'https://www.googletagmanager.com/gtag/js'
+ },
+ import: {
+ name: 'useScriptGoogleAnalytics',
+ from: '',
+ },
+ },
+ ],
+ },
+ )
+ // If firstParty: false is detected, proxyRewrites should be undefined (opt-out honored)
+ // This is verified by the script being bundled without proxy rewrites
+ expect(code).toBeDefined()
+ })
+
+ it('detects firstParty: false in second argument', async () => {
+ vi.mocked(hash).mockImplementationOnce(() => 'beacon.min')
+ const code = await transform(
+ `const instance = useScript('https://static.cloudflareinsights.com/beacon.min.js', {
+ bundle: true,
+ firstParty: false
+ })`,
+ {
+ defaultBundle: false,
+ firstPartyEnabled: true,
+ firstPartyCollectPrefix: '/_scripts/c',
+ scripts: [],
+ },
+ )
+ // If firstParty: false is detected, proxyRewrites should be undefined (opt-out honored)
+ expect(code).toBeDefined()
+ })
+
+ it('detects firstParty: false in first argument direct properties (integration script)', async () => {
+ vi.mocked(hash).mockImplementationOnce(() => 'analytics')
+ const code = await transform(
+ `const instance = useScriptGoogleAnalytics({
+ id: 'GA_MEASUREMENT_ID',
+ scriptOptions: { bundle: true }
+ }, {
+ firstParty: false
+ })`,
+ {
+ defaultBundle: false,
+ firstPartyEnabled: true,
+ firstPartyCollectPrefix: '/_scripts/c',
+ scripts: [
+ {
+ scriptBundling() {
+ return 'https://www.googletagmanager.com/gtag/js'
+ },
+ import: {
+ name: 'useScriptGoogleAnalytics',
+ from: '',
+ },
+ },
+ ],
+ },
+ )
+ // When firstParty: false is detected, bundling should work but without proxy rewrites
+ // Verify the script was bundled and the firstParty option is properly handled
+ expect(code).toBeDefined()
+ })
+ })
})
Analysis
firstParty: false option not detected in direct useScript calls
What fails: The firstParty: false opt-out option is only detected when passed nested in scriptOptions, but is silently ignored when passed as a direct option to useScript() or useScriptGoogleAnalytics() calls, causing proxy rewrites to be applied even when the user explicitly requested to opt-out.
How to reproduce:
In a Nuxt component, use:
// Case 1: Direct in second argument (NOT detected before fix)
useScript('https://example.com/script.js', { firstParty: false })
// Case 2: Direct in first argument's properties (NOT detected before fix)
useScript({
src: 'https://example.com/script.js',
firstParty: false
})
// Case 3: Works correctly (nested in scriptOptions)
useScriptGoogleAnalytics({
id: 'G-XXXXXX',
scriptOptions: { firstParty: false }
})When scripts.firstParty: true is enabled in nuxt.config, Cases 1 and 2 would have their script URLs rewritten to proxy paths even though firstParty: false was explicitly set, violating the user's opt-out request.
Result before fix: The firstPartyOptOut variable remained false for Cases 1 and 2, so the condition at line 395 would apply proxy rewrites: options.firstPartyEnabled && !firstPartyOptOut && proxyConfigKey && options.firstPartyCollectPrefix evaluated to true.
Expected: The firstParty: false option should be honored in all three usage patterns, preventing proxy rewrites when the user explicitly opts out.
Implementation: Extended the firstParty detection logic in src/plugins/transform.ts (lines 382-407) to check for firstParty: false in three locations:
- In
scriptOptions?.value.properties(nested property - original behavior) - In
node.arguments[1]?.properties(second argument direct options) - In
node.arguments[0]?.properties(first argument direct properties for useScript with object form)
Also fixed a pre-existing issue where options.scripts.find could fail when options.scripts is undefined by adding optional chaining.
- Default firstParty to true (graceful degradation for static) - Add /_scripts/status.json and /_scripts/health.json dev endpoints - Add DevTools First-Party tab with status, routes, and badges - Add CLI commands: status, clear, health - Add dev startup logging for proxy routes - Improve static preset error messages with actionable guidance - Expand documentation: - Platform rewrites (Vercel, Netlify, Cloudflare) - Architecture diagram - Troubleshooting section - FAQ section - Hybrid rendering (ISR, edge, route-level SSR) - Consent integration examples - Health check verification - Add first-party unit tests Co-Authored-By: Claude Opus 4.5 <[email protected]>
| // Test each route by making a HEAD request to the target | ||
| for (const [route, target] of Object.entries(scriptsConfig.routes)) { | ||
| // Extract script name from route (e.g., /_scripts/c/ga/** -> ga) | ||
| const scriptMatch = route.match(/\/_scripts\/c\/([^/]+)/) |
There was a problem hiding this comment.
| // Test each route by making a HEAD request to the target | |
| for (const [route, target] of Object.entries(scriptsConfig.routes)) { | |
| // Extract script name from route (e.g., /_scripts/c/ga/** -> ga) | |
| const scriptMatch = route.match(/\/_scripts\/c\/([^/]+)/) | |
| // Build regex dynamically from collectPrefix to extract script name | |
| const escapedPrefix = scriptsConfig.collectPrefix.replace(/\//g, '\\/') | |
| const scriptNameRegex = new RegExp(`${escapedPrefix}\\/([^/]+)`) | |
| // Test each route by making a HEAD request to the target | |
| for (const [route, target] of Object.entries(scriptsConfig.routes)) { | |
| // Extract script name from route (e.g., /_scripts/c/ga/** -> ga) | |
| const scriptMatch = route.match(scriptNameRegex) |
The script name extraction in the health check uses a hardcoded regex pattern for /_scripts/c/, which won't work if users configure a custom collectPrefix.
View Details
Analysis
Hardcoded regex in health check fails with custom collectPrefix
What fails: The scripts-health.ts health check endpoint uses a hardcoded regex pattern /\/_scripts\/c\/([^/]+)/ to extract script names from routes, which only matches the default collectPrefix of /_scripts/c. When users configure a custom collectPrefix (e.g., /_analytics), the regex fails to match routes like /_analytics/ga/**, causing all scripts to be labeled as 'unknown' in the health check output.
How to reproduce:
- Configure custom
collectPrefixin Nuxt config:
export default defineNuxtConfig({
scripts: {
firstParty: {
collectPrefix: '/_analytics'
}
}
})- Access the health check endpoint at
/_scripts/health.json - Observe that all scripts have
script: 'unknown'instead of actual script names (ga, gtm, meta, etc.)
Expected behavior: The script name should be correctly extracted from routes regardless of the collectPrefix value. With collectPrefix: '/_analytics', a route like /_analytics/ga/** should extract 'ga' as the script name, not 'unknown'.
Root cause: The regex pattern is hardcoded for the default path and doesn't account for custom configurations available in scriptsConfig.collectPrefix.
| // Use storage to cache the font data between builds | ||
| const cacheKey = `bundle:${filename}` | ||
| // Include proxy in cache key to differentiate proxied vs non-proxied versions | ||
| const cacheKey = proxyRewrites?.length ? `bundle-proxy:${filename}` : `bundle:${filename}` |
There was a problem hiding this comment.
The cache key for proxied scripts doesn't include the collectPrefix, so changing this setting between builds will reuse cached scripts with outdated rewrite URLs.
View Details
π Patch Details
diff --git a/src/plugins/transform.ts b/src/plugins/transform.ts
index 98e3aeb..8a497be 100644
--- a/src/plugins/transform.ts
+++ b/src/plugins/transform.ts
@@ -113,7 +113,9 @@ async function downloadScript(opts: {
if (!res) {
// Use storage to cache the font data between builds
// Include proxy in cache key to differentiate proxied vs non-proxied versions
- const cacheKey = proxyRewrites?.length ? `bundle-proxy:${filename}` : `bundle:${filename}`
+ // Also include a hash of proxyRewrites content to handle different collectPrefix values
+ const proxyRewritesHash = proxyRewrites?.length ? `-${ohash(proxyRewrites)}` : ''
+ const cacheKey = proxyRewrites?.length ? `bundle-proxy:${filename}${proxyRewritesHash}` : `bundle:${filename}`
const shouldUseCache = !forceDownload && await storage.hasItem(cacheKey) && !(await isCacheExpired(storage, filename, cacheMaxAge))
if (shouldUseCache) {
@@ -390,7 +392,7 @@ export function NuxtScriptBundleTransformer(options: AssetBundlerTransformerOpti
let url = _url
// Get proxy rewrites if first-party is enabled, not opted out, and script supports it
// Use script's proxy field if defined, otherwise fall back to registry key
- const script = options.scripts.find(s => s.import.name === fnName)
+ const script = options.scripts?.find(s => s.import.name === fnName)
const proxyConfigKey = script?.proxy !== false ? (script?.proxy || registryKey) : undefined
const proxyRewrites = options.firstPartyEnabled && !firstPartyOptOut && proxyConfigKey && options.firstPartyCollectPrefix
? getProxyConfig(proxyConfigKey, options.firstPartyCollectPrefix)?.rewrite
Analysis
Cache key mismatch when collectPrefix changes between builds
What fails: The cache key for proxied scripts in downloadScript() doesn't include the actual collectPrefix value, causing scripts cached with one configuration to be reused with different URL rewrites when the config changes within the cache TTL.
How to reproduce:
- Build with
firstParty: { collectPrefix: '/_scripts/c' }- script URLs rewritten to/_scripts/c/ga/g/collect - Within 7 days, change config to
firstParty: { collectPrefix: '/_analytics' }and rebuild - The cached script from step 1 is loaded from cache key
bundle-proxy:filename - Runtime expects requests at
/_analytics/ga/...but cached script sends to/_scripts/c/ga/... - Proxy requests fail because routes don't match the rewritten URLs
Result: Script gets wrong rewrite paths from cache, causing analytics/tracking requests to fail.
Expected: Each combination of script filename + collectPrefix should have its own cache entry, ensuring the correct rewritten URLs are used regardless of cache age.
Root cause: Line 116 in src/plugins/transform.ts creates cache key as bundle-proxy: when proxyRewrites?.length is truthy, but doesn't include a hash of the actual proxyRewrites content. Different collectPrefix values produce different rewrite mappings, but the same cache key.
Fix: Include hash of proxyRewrites in cache key: bundle-proxy:
π Linked issue
Resolves #87
β Type of change
π Description
Third-party scripts expose user data directly to external servers - every request shares the user's IP address, and scripts can set third-party cookies for cross-site tracking. Ad blockers rightfully block these for privacy reasons.
This PR adds a
firstPartyoption that routes all script traffic through your own domain:Scripts are downloaded at build time, collection URLs rewritten to local paths (
/_scripts/c/ga), and Nitro route rules proxy requests to original endpoints.Supported: Google Analytics, GTM, Meta Pixel, TikTok, Segment, Clarity, Hotjar, X/Twitter, Snapchat, Reddit.
Includes new
/docs/guides/first-partydocumentation and deprecation notice on bundling guide.