Configuration for locking beacon_url to specific patterns

Gruntfile.js

@@ -133,7 +133,8 @@ module.exports = function() {
 	// Build configuration
 	//
 	var buildConfig = {
-		server: grunt.option("server") || DEFAULT_TEST_MAIN_DOMAIN || "localhost"
+		server: grunt.option("server") || DEFAULT_TEST_MAIN_DOMAIN || "localhost",
+		beaconUrlsAllowed: grunt.option("beacon-urls-allowed") || ""
 	};
 
 	var bannerFilePathRelative = "./lib/banner.txt";
@@ -243,6 +244,10 @@ module.exports = function() {
 							// strip out BOOMR.plugins = BOOMR.plugins || {}; in plugins
 							pattern: /BOOMR\.plugins\s*=\s*BOOMR\.plugins\s*\|\|\s*{};/g,
 							replacement: ""
+						},
+						{
+							pattern: /beacon_urls_allowed: \[\]/,
+							replacement: "beacon_urls_allowed: [" + buildConfig.beaconUrlsAllowed + "]"
 						}
 					]
 				}

boomerang.js

@@ -332,6 +332,10 @@ BOOMR_check_doc_domain();
 		// Beacon URL
 		beacon_url: "",
 
+		// List of string regular expressions that must match the beacon_url.  If
+		// not set, or the list is empty, all beacon URLs are allowed.
+		beacon_urls_allowed: [],
+
 		// Beacon request method, either GET, POST or AUTO. AUTO will check the
 		// request size then use GET if the request URL is less than MAX_GET_LENGTH
 		// chars. Otherwise, it will fall back to a POST request.
@@ -812,6 +816,28 @@ BOOMR_check_doc_domain();
 		spaNavigation: function() {
 			// a SPA navigation occured, force onloadfired to true
 			impl.onloadfired = true;
+		},
+
+		/**
+		 * Determines whether a beacon URL is allowed based on
+		 * `beacon_urls_allowed` config
+		 *
+		 * @param {string} url URL to test
+		 *
+		 */
+		beaconUrlAllowed: function(url) {
+			if (!impl.beacon_urls_allowed || impl.beacon_urls_allowed.length === 0) {
+				return true;
+			}
+
+			for (var i = 0; i < impl.beacon_urls_allowed.length; i++) {
+				var regEx = new RegExp(impl.beacon_urls_allowed[i]);
+				if (regEx.exec(url)) {
+					return true;
+				}
+			}
+
+			return false;
 		}
 	};
 
@@ -1585,7 +1611,6 @@ BOOMR_check_doc_domain();
 		 * @param {string} config.beacon_url The URL to beacon results back to.
 		 * If not set, no beacon will be sent.
 		 * @param {string} config.beacon_type `GET`, `POST` or `AUTO`
-		 * @param {string[]} [config.secondary_beacons] Additional beacon URLs to send data to
 		 * @param {string} [config.site_domain] The domain that all cookies should be set on
 		 * Boomerang will try to auto-detect this, but unless your site is of the
 		 * `foo.com` format, it will probably get it wrong. It's a good idea
@@ -1614,7 +1639,6 @@ BOOMR_check_doc_domain();
 				    "beacon_auth_token",
 				    "beacon_url",
 				    "beacon_type",
-				    "secondary_beacons",
 				    "site_domain",
 				    "strip_query_string",
 				    "user_ip"
@@ -2811,6 +2835,11 @@ BOOMR_check_doc_domain();
 				return false;
 			}
 
+			if (!impl.beaconUrlAllowed(impl.beacon_url)) {
+				BOOMR.debug("Beacon URL not allowed: " + impl.beacon_url);
+				return false;
+			}
+
 			// Check that we have data to send
 			if (data.length === 0) {
 				return false;
@@ -2880,15 +2909,6 @@ BOOMR_check_doc_domain();
 				}
 
 				img.src = url;
-
-				if (impl.secondary_beacons) {
-					for (k = 0; k < impl.secondary_beacons.length; k++) {
-						url = impl.secondary_beacons[k] + "?" + paramsJoined;
-
-						img = new Image();
-						img.src = url;
-					}
-				}
 			}
 			else {
 				//
@@ -3043,6 +3063,16 @@ BOOMR_check_doc_domain();
 			}
 		}
 
+		/* BEGIN_DEBUG */,
+		/**
+		 * Sets the list of allowed Beacon URLs
+		 *
+		 * @param {string[]} urls List of string regular expressions
+		 */
+		setBeaconUrlsAllowed: function(urls) {
+			impl.beacon_urls_allowed = urls;
+		}
+		/* END_DEBUG */
 	};
 
 	delete BOOMR_start;