Kuoll error analytics blog

    Ignoring private web page parts

    This document describes how Kuoll uses IndexedDB, localStorage and sessionStorage to record user issues. Overview Kuoll is a tool that helps website owners detect when users encountered a bug and build detailed debuggable records of user sessions. In order to do it, Kuoll records page continuously, stores data on client-side and flushes it to server whenever an issue occurs. Until the data is flushed, it’s stored in IndexedDB, localStorage and sessionStorage. localStorage usage localStorage is a browser domain-wide storage. Kuoll uses it to detect when user uses the site in few tabs in parallel. Recording few tabs isn’t supported yet and Kuoll records only the first tab opened. The amount of data stored in localStorage is miniscule, any reasonable quota should be sufficient. sessionStorage usage localStorage is a browser tab-wide storage. Kuoll uses it to track user, store internal state during page navigation. Kuoll does not store record itself or any other heavy data in sessionStorage which means default browser quota should be sufficient for correct work. Recording cannot be performed without functioning sessionStorage. IndexedDB usage Kuoll provides a Local recording feature. If this is enabled, Kuoll will not save data to server until an issue occurred. It will instead keep the last 3 minutes of record in IndexedDB which is a database browser. Local recording is enabled by default and can be disabled using localRecording parameter of kuoll.startRecord method:

    	API_KEY: "your API key",
    	localRecording: false

    In this storage Kuoll keeps most of the data, including page content, events, network interception, etc. The amount of data generated depends on your application and typically varies from few hundred KB to few MB per minute of active website usage. Furthermore default IndexedDB quota depends on browser, device type and amount of free disk space on device. While we haven’t faced the issue of exceeding IndexedDB quota, it’s possible that it will occur for some users on some web applications.

    Some browsers don’t support IndexedDB. Firefox and Safari disable IndexedDB in private browsing mode. In those cases Kuoll monititoring.js falls back to using sessionStorage instead of IndexedDB. It should be noted that sessionStorage usually has a much tighter quota compared to IndexedDB. It’s possible to reach the limit in case your application generates large amounts of data.

    Best practices of web page embed JavaScript API

    We bet that you’ve come across principles about writing modules and classes in JavaScript. When we in Kuoll needed to write a script embed in the web page that provides API for the operation of a certain service, we could not find any worthy recommendations for designing such scripts.

    So, here are the requirements for the script:

    • It will be embedded in the pages of third-party web applications;
    • It must work well;
    • It must boot quickly;
    • It should not (potentially unpredictable) affect the operations of the web application;
    • Must comply with security requirements;
    • … // and other 🙂

    Read more…

    The end of CSRF?

    Long-standing issue

    The vulnerability of CSRF or XSRF (these abbreviations are synonyms) seems to have always existed. The root of this vulnerability is the well-known opportunity to make a request from one website to another. Let’s say I create this form on my website:

    <form action="https://bankingsite.com/transfer" method="POST" id="stealMoney">  
    <input type="hidden" name="to" value="John Doe">  
    <input type="hidden" name="account" value="12416234">  
    <input type="hidden" name="amount" value="$1,000">

    Your browser will download my site and my form of course. I can send it immediately to my server using simple javascript.

    Read more…

    Top 10 bugs and their bug fixing

    Many modern web applications use JavaScript. At first, it will seem that it’s a simple language but it’s not true. JavaScript has a lot of nuances and sometimes these nuances can lead to bugs.

    Bug #1 Bugs with incorrect references to this

    The keyword this is often confused with self-referencing scopes within callbacks and closures.
    Read more…