statsig.com [rej]

[jkw]

Hi!

statsig.com provides feature flagging and experimentation tools for websites/apps. Many of our customers have reported that their sites have features incorrectly turned off due to all requests to statsig.com domain getting blocked. We understand that certain endpoints are logging user events so they should be on the EasyPrivacy list, but under the same domain there are also endpoints that provide essential features for users that are getting blocked, so users who should see certain features are not seeing them as a result, and vice versa.

Can you only block these specific urls below instead of the whole statsig.com?

• api.statsig.com/v1/log_event
• api.statsig.com/v1/rgstr
• api.statsig.com/v1/log_event_beacon

Thank you!

[fanboy]

It is covered in https://github.com/easylist/easylist/bl ... asyprivacy

Impressions / Event / Perf / Pageview logging

[jkw]

@fanboy I understand that analytics is covered in the policy, but I don't see feature flagging being covered in there, and that's why I'm asking if we can only block the analytics related endpoints instead of the whole domain.

Feature flagging being blocked is causing apps and websites to show broken experiences for users, e.g. users in the EU could now start to see features they are not supposed to see due to the endpoint being blocked; features designed for new customers only can start showing up for returning customers, etc.

[jhurwitz]

The startup I work for is a Statsig customer. I reported an issue to the Statsig team and was directed to this forum thread as the reason Statsig is being blocked by content blockers. I would like to share two data points from my own personal experience:

(1) The app I am building uses Statsig for feature gating and dynamic configs. We relatively recently launched from beta and introduced the ability for users to self-serve sign up for the product; the entire sign-up flow was behind a dynamic config, whose default value disabled signup if the Statsig servers could not be reached. After launching out of beta, we decided to keep this config around in case we ever need to quickly disable signups without waiting for a code push (eg, if we see a spike in abuse that we want to quickly stop while we investigate). We've been hearing from an increasing number of users recently that signup has been broken for them. After digging in, we realized it's because browser extensions are blocking the network requests to Statsig, causing our app in these cases to fall back to the default value of signup being disabled.

(2) Our team uses Notion as a document library. Today, I was in the middle of collaborating on a Notion doc with a coworker when suddenly I found myself unable to edit tables (I could not add rows, remove rows, or view the table's options). Hard refreshing the page didn't help. I opened my JS console to investigate, and immediately saw that network requests to Statsig were being blocked by a browser extension. (I hadn't previously known Notion was using Statsig!) I disabled my content blocker, refreshed the page, and then I could edit Notion tables again. Without being a Notion employee or having access to the Notion source code, I'm not sure what the root cause was here (and I'm not currently able to consistently repro the problem), but as an end user, it's definitely highly surprising to me that major functionality on a tool that I rely on every day for work would break because a feature gating API is being blocked.

I use a content blocker in my browser because I want to minimize the ways in which companies can track me online, but I may have to uninstall or disable it if it's breaking application behaviors I depend on. I've read through the linked README listing what types of endpoints are blocked by EasyPrivacy, and while I understand that certain Statsig endpoints fall under categories in that list (like analytics), I agree with @jkw that there ought to be a specific feature flagging endpoint that is allowed.

[jkw]

@fanboy could you please take another look at the responses above? Looking at the policy and the current list, it does seem like general feature flagging purposes should be allowed, and what we are asking is that you only block our analytics endpoints so that feature flagging isn't broken. Thanks!

[fanboy]

Policy is not changing for Statsig. Making excuses to track by mixing other features in, doesn't wash. Tracking will always trump everything else. So it will stay.