Skip to content

[Detail Bug] Analytics SDK crashes on HTTP sites due to missing Web Crypto APIs (secure-context only) #170

New issue
New issue
Open
Open
[Detail Bug] Analytics SDK crashes on HTTP sites due to missing Web Crypto APIs (secure-context only)#170
@detail-app

Description

@detail-app
detail-app
bot
opened on Mar 4, 2026

Detail Bug Report

https://app.detail.dev/org_ea7bf3e3-a2f4-4402-9351-baa0e1eaa1f5/bugs/bug_a3a22fbc-9a3c-47c3-aa54-0313711e911f

Summary

  • Context: The file src/utils/generate.ts provides utility functions for generating SHA-256 hashes and UUIDs, which are essential for event deduplication and anonymous user identification in the analytics SDK.
  • Bug: The hash and generateNativeUUID functions rely on Web Crypto APIs (crypto.subtle.digest and crypto.randomUUID) that are only available in secure contexts (HTTPS) in most modern browsers (like Chrome and Safari).
  • Actual vs. expected: In insecure contexts (HTTP), crypto.subtle is undefined and crypto.randomUUID is not a function, causing these calls to throw a TypeError. The expected behavior is to have a fallback or use a more compatible library like the already included ethereum-cryptography.
  • Impact: The SDK will crash on any website served over HTTP when attempting to initialize (via generateNativeUUID for the anonymous ID) or track an event (via hash for the message ID), leading to total failure of the SDK and potentially breaking the host application.

Code with Bug

export async function hash(input: string): Promise<string> {
  const hashBuffer = await crypto.subtle.digest(
    // <-- BUG 🔴 [crypto.subtle is undefined on HTTP sites]
    "SHA-256",
    new TextEncoder().encode(input)
  );
  const byteArray = new Uint8Array(hashBuffer);
  return Array.from(byteArray)
    .map((byte) => byte.toString(16).padStart(2, "0"))
    .join("");
}

export function generateNativeUUID(): UUID {
  return crypto.randomUUID(); // <-- BUG 🔴 [crypto.randomUUID is not a function on HTTP sites]
}

Explanation

Browsers generally restrict crypto.subtle and crypto.randomUUID() to Secure Contexts (HTTPS and localhost). On HTTP pages, these APIs are missing, so calling crypto.subtle.digest(...) or crypto.randomUUID() throws at runtime, crashing SDK initialization and/or event tracking.

Codebase Inconsistency

The repo already includes a cross-environment hashing implementation via ethereum-cryptography (noted as secureHash in src/utils/hash.ts), but src/utils/generate.ts redundantly uses Web Crypto without fallback.

Recommended Fix

Use ethereum-cryptography for hashing (and add a UUID fallback when crypto.randomUUID is unavailable) to avoid secure-context-only Web Crypto APIs.

import { sha256 } from "ethereum-cryptography/sha256";
import { utf8ToBytes, bytesToHex } from "ethereum-cryptography/utils";

export async function hash(input: string): Promise<string> {
  // Use existing, safe utility
  return bytesToHex(sha256(utf8ToBytes(input))); // <-- FIX 🟢
}

History

This bug was introduced in commit dfc3351. This commit added anonymous session tracking and wallet linking logic, which introduced the generateNativeUUID and hash utilities relying on the Web Crypto API (crypto.randomUUID and crypto.subtle.digest) without providing fallbacks for insecure (non-HTTPS) environments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions