From 4add10f1646cedcc6191ba7cc77a7ff194f92f97 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 17 Dec 2024 14:21:08 +0100
Subject: [PATCH 1/2] block srcdoc iframe contents per default

---
 packages/replay-internal/src/util/getPrivacyOptions.ts        | 2 +-
 .../test/integration/integrationSettings.test.ts              | 4 +++-
 packages/replay-internal/test/integration/rrweb.test.ts       | 4 ++--
 .../replay-internal/test/unit/util/getPrivacyOptions.test.ts  | 2 +-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/packages/replay-internal/src/util/getPrivacyOptions.ts b/packages/replay-internal/src/util/getPrivacyOptions.ts
index ba35ec21476d..90ef5a3facee 100644
--- a/packages/replay-internal/src/util/getPrivacyOptions.ts
+++ b/packages/replay-internal/src/util/getPrivacyOptions.ts
@@ -25,7 +25,7 @@ function getOption(selectors: string[], defaultSelectors: string[]): string {
  * Returns privacy related configuration for use in rrweb
  */
 export function getPrivacyOptions({ mask, unmask, block, unblock, ignore }: GetPrivacyOptions): GetPrivacyReturn {
-  const defaultBlockedElements = ['base[href="/"]'];
+  const defaultBlockedElements = ['base[href="/"]', 'iframe[srcdoc]:not([src])'];
 
   const maskSelector = getOption(mask, ['.sentry-mask', '[data-sentry-mask]']);
   const unmaskSelector = getOption(unmask, []);
diff --git a/packages/replay-internal/test/integration/integrationSettings.test.ts b/packages/replay-internal/test/integration/integrationSettings.test.ts
index 62dc2a4a6588..6e075c933759 100644
--- a/packages/replay-internal/test/integration/integrationSettings.test.ts
+++ b/packages/replay-internal/test/integration/integrationSettings.test.ts
@@ -17,7 +17,9 @@ describe('Integration | integrationSettings', () => {
     it('sets the correct configuration when `blockAllMedia` is disabled', async () => {
       const { replay } = await mockSdk({ replayOptions: { blockAllMedia: false } });
 
-      expect(replay['_recordingOptions'].blockSelector).toBe('.sentry-block,[data-sentry-block],base[href="/"]');
+      expect(replay['_recordingOptions'].blockSelector).toBe(
+        '.sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src])',
+      );
     });
   });
 
diff --git a/packages/replay-internal/test/integration/rrweb.test.ts b/packages/replay-internal/test/integration/rrweb.test.ts
index 4327ddb21de1..da1c785aadb6 100644
--- a/packages/replay-internal/test/integration/rrweb.test.ts
+++ b/packages/replay-internal/test/integration/rrweb.test.ts
@@ -23,7 +23,7 @@ describe('Integration | rrweb', () => {
     });
     expect(mockRecord.mock.calls[0]?.[0]).toMatchInlineSnapshot(`
       {
-        "blockSelector": ".sentry-block,[data-sentry-block],base[href="/"],img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
+        "blockSelector": ".sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src]),img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
         "collectFonts": true,
         "emit": [Function],
         "errorHandler": [Function],
@@ -62,7 +62,7 @@ describe('Integration | rrweb', () => {
 
     expect(mockRecord.mock.calls[0]?.[0]).toMatchInlineSnapshot(`
       {
-        "blockSelector": ".sentry-block,[data-sentry-block],base[href="/"],img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
+        "blockSelector": ".sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src]),img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
         "checkoutEveryNms": 360000,
         "collectFonts": true,
         "emit": [Function],
diff --git a/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts b/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts
index 8595ca6aa1c4..2f4ac4d72113 100644
--- a/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts
+++ b/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts
@@ -21,7 +21,7 @@ describe('Unit | util | getPrivacyOptions', () => {
       }),
     ).toMatchInlineSnapshot(`
       {
-        "blockSelector": ".custom-block,.sentry-block,[data-sentry-block],base[href="/"]",
+        "blockSelector": ".custom-block,.sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src])",
         "ignoreSelector": ".custom-ignore,.sentry-ignore,[data-sentry-ignore],input[type="file"]",
         "maskTextSelector": ".custom-mask,.sentry-mask,[data-sentry-mask]",
         "unblockSelector": ".custom-unblock",

From 96678ed57700939ed7feaebae65ae9255278c610 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Wed, 18 Dec 2024 11:03:49 +0100
Subject: [PATCH 2/2] block all base tags

---
 packages/replay-internal/src/util/getPrivacyOptions.ts        | 2 +-
 .../test/integration/integrationSettings.test.ts              | 2 +-
 packages/replay-internal/test/integration/rrweb.test.ts       | 4 ++--
 .../replay-internal/test/unit/util/getPrivacyOptions.test.ts  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/packages/replay-internal/src/util/getPrivacyOptions.ts b/packages/replay-internal/src/util/getPrivacyOptions.ts
index 90ef5a3facee..a5aa3d392632 100644
--- a/packages/replay-internal/src/util/getPrivacyOptions.ts
+++ b/packages/replay-internal/src/util/getPrivacyOptions.ts
@@ -25,7 +25,7 @@ function getOption(selectors: string[], defaultSelectors: string[]): string {
  * Returns privacy related configuration for use in rrweb
  */
 export function getPrivacyOptions({ mask, unmask, block, unblock, ignore }: GetPrivacyOptions): GetPrivacyReturn {
-  const defaultBlockedElements = ['base[href="/"]', 'iframe[srcdoc]:not([src])'];
+  const defaultBlockedElements = ['base', 'iframe[srcdoc]:not([src])'];
 
   const maskSelector = getOption(mask, ['.sentry-mask', '[data-sentry-mask]']);
   const unmaskSelector = getOption(unmask, []);
diff --git a/packages/replay-internal/test/integration/integrationSettings.test.ts b/packages/replay-internal/test/integration/integrationSettings.test.ts
index 6e075c933759..8f7f39fdcf1a 100644
--- a/packages/replay-internal/test/integration/integrationSettings.test.ts
+++ b/packages/replay-internal/test/integration/integrationSettings.test.ts
@@ -18,7 +18,7 @@ describe('Integration | integrationSettings', () => {
       const { replay } = await mockSdk({ replayOptions: { blockAllMedia: false } });
 
       expect(replay['_recordingOptions'].blockSelector).toBe(
-        '.sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src])',
+        '.sentry-block,[data-sentry-block],base,iframe[srcdoc]:not([src])',
       );
     });
   });
diff --git a/packages/replay-internal/test/integration/rrweb.test.ts b/packages/replay-internal/test/integration/rrweb.test.ts
index da1c785aadb6..cd3fbcd095be 100644
--- a/packages/replay-internal/test/integration/rrweb.test.ts
+++ b/packages/replay-internal/test/integration/rrweb.test.ts
@@ -23,7 +23,7 @@ describe('Integration | rrweb', () => {
     });
     expect(mockRecord.mock.calls[0]?.[0]).toMatchInlineSnapshot(`
       {
-        "blockSelector": ".sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src]),img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
+        "blockSelector": ".sentry-block,[data-sentry-block],base,iframe[srcdoc]:not([src]),img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
         "collectFonts": true,
         "emit": [Function],
         "errorHandler": [Function],
@@ -62,7 +62,7 @@ describe('Integration | rrweb', () => {
 
     expect(mockRecord.mock.calls[0]?.[0]).toMatchInlineSnapshot(`
       {
-        "blockSelector": ".sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src]),img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
+        "blockSelector": ".sentry-block,[data-sentry-block],base,iframe[srcdoc]:not([src]),img,image,svg,video,object,picture,embed,map,audio,link[rel="icon"],link[rel="apple-touch-icon"]",
         "checkoutEveryNms": 360000,
         "collectFonts": true,
         "emit": [Function],
diff --git a/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts b/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts
index 2f4ac4d72113..3123e3efaa7c 100644
--- a/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts
+++ b/packages/replay-internal/test/unit/util/getPrivacyOptions.test.ts
@@ -21,7 +21,7 @@ describe('Unit | util | getPrivacyOptions', () => {
       }),
     ).toMatchInlineSnapshot(`
       {
-        "blockSelector": ".custom-block,.sentry-block,[data-sentry-block],base[href="/"],iframe[srcdoc]:not([src])",
+        "blockSelector": ".custom-block,.sentry-block,[data-sentry-block],base,iframe[srcdoc]:not([src])",
         "ignoreSelector": ".custom-ignore,.sentry-ignore,[data-sentry-ignore],input[type="file"]",
         "maskTextSelector": ".custom-mask,.sentry-mask,[data-sentry-mask]",
         "unblockSelector": ".custom-unblock",