-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amplitude is adding too many cookies causing 400 Bad Request errors #326
Comments
I suspect that this line of code sometimes doesn't work and the swallowed exception is masking the problem: Amplitude-JavaScript/src/base-cookie.js Line 56 in 3a9f25b
|
Hey @callado4, sorry this is happening to you Requests
|
The source is actually available here: intention-bundle-formatted-20201202.js.zip I'll see if I can give better reproduction steps, but essentially it's just having at least the uBlock Origin extension + the GetIntention extension (that I linked above), add news.ycombinator.com as a site for the Intention extension to track as a "time wasting" site, navigate to news.ycombinator.com, the Intention extension will show a popup where you have to select like 5m of time (to read/not focus), then click on any of the comments links in new tabs and after a few you will see the cookies growing in the network tab for the requests to the site. |
Tagging @dkthehuman (creator of Intention) here in case he can provide any helpful input. I found this issue from the exact same problem (conflict between Intention and uBlock Origin) causing Google Accounts & Twitter to start breaking. |
Thanks for tagging me @scottsb! This seems pretty nasty, and I didn't realize Amplitude was adding cookies for various domains. I definitely don't want Intention to be breaking sites, so I'm going to push a build now that disables Amplitude for all users until this issue is resolved. @callado4 The reason why Amplitude requests are sent even though you have uBlock Origin enabled is not because Intention is doing anything nefarious but because extensions can't affect other extensions for security reasons. (I use uBlock Origin myself and would love to respect that preference, but I can't detect whether uBlock Origin is installed without requesting additional permissions to manage your extensions which I'd like to avoid.) The problem above should cease once Intention is updated, but in the meantime, you can go to Settings > Privacy > Uncheck "Send usage statistics" to disable Amplitude yourself. |
Thank you for filing this (and fixing it in Intention)! I'd figured out that Amplitude was the cause of Twitter breaking daily due to huge numbers of redundant cookies, but not the root cause… |
I am seeing the same issue happening when I enable the HTTPS Everywhere plugin in Chrome |
I think this should fix it (untested):
Please fix this, thanks! |
This seems to be happening again. I have HTTPS Everywhere installed, but since roughly a week ago, both Twitter and Reddit, and also Google, started regularly throwing 400 Bad Request errors. When I looked into it, I found dozens of cookies named similarly to |
Hi @bolekkerous, thanks for choosing amplitude. We are sorry about the inconvenience. We are investigating this issue right now. |
Thanks @yuhao900914, I managed to fix it for now by disabling HTTPS Everywhere, but a lot of people probably still use it. It started happening only recently and HTTPS Everywhere didn't have an update for months, so it's likely something on your end or some interaction with Chrome perhaps. |
@bolekkerous, we are still investigating this issue. However, we noticed that |
My first thought was to investigate if Twitter and Reddit are using old versions of Amplitude. I tested it for Twitter and I could not immediately see where Amplitude was used. |
Also I originally investigated this with respect to Jitsi. HTTPS Everywhere was never the root cause, it just exacerbated the problem with Amplitude. |
The issue is happening on my website too. It's even weirder that I disabled the cookies when initiating Amplitude by using the |
Hi @na-ji, We have 2 cookies, the old cookies, and the new cookies. We will check if you have the old cookies (amp_cookie_test will be created and removed) and migrate the data to the new one if that's available. When you call to disable cookies, it disables the new cookies. That's why But removing the test cookie will be called finally. It shouldn't be there. |
Hi @yuhao900914, I think I misinterpreted the issue on my side. I thought I saw a few cookies However, I do have another question: why testing if we can create cookies when the option Thank you. |
Hi @na-ji, we just have a fix on that issue. With the latest version of Amplitude-JavasScript SDK. if you disable cookies, it will skip the check. Thanks. |
Something I'm failing to understand is why would amplitude set AMP_MKT_ and other cookies for my site's domain? Every request made to my site contains these cookies that serves no purpose. After logging out and logging in with different users, these cookies gets build up overtime ultimately causing 413 - Request entity too large exception. |
Expected Behavior
I can browse websites without issues and unwanted cookies
Current Behavior
The amplitude library keeps adding junk and seemingly duplicate cookies to my requests, eventually so many that web servers like nginx stop responding to requests
Possible Solution
Stop adding duplicate cookies, respect user's desire not to be tracked
Steps to Reproduce
I have tracked this down to partly being because of the Intention Chrome extension, partly this library not respecting user's who block tracking (via uBlock origin), but I feel like your library shouldn't be adding so many duplicate cookies.
I will definitely have to file a bug with the Intention Chrome extension and their use of buggy user tracking software.
I have uBlock origin which I use to block these types of trackers and I suspect that your library doesn't know how to properly behave when this happens. What I see happening in while I'm browsing https://news.ycombinator.com/news every time I navigate to a new link on that site a set of
amp_cookie_test
and_tldtest
with a random id is appending to my cookies list, along with oneamplitude_testycombinator.com
cookie. Eventually their nginx server responds with a 400 bad request error because one of the request headers is too big (because of all of the cookies). The only way to do a temporary fix it to close ALL of my tabs from that website, then use Chrome to delete the cookies for that site (but it starts to add up soon again and eventually it happens again).On every request to this site (ycombinator news), I see a blocked request to api.amplitude.com (blocked by uBlock) which is what makes me really suspect this is an issue with Amplitude.
Here is a sample curl request to demonstrate the problem
I have also attached the source code for the Intention extension where you can see the key prefixes for the cookies I mentioned above.Apparently I wasn't able to attach it, I can provide it if needed.Source code here: intention-bundle-formatted-20201202.js.zip
Environment
The text was updated successfully, but these errors were encountered: