@nuxt/scripts 1.0.0-beta.7 → 1.0.0-rc.2

package/dist/runtime/server/proxy-handler.js

@@ -1,15 +1,18 @@
-import { defineEventHandler, getHeaders, getRequestIP, readBody, getRequestWebStream, getQuery, setResponseHeader, createError } from "h3";
 import { useRuntimeConfig } from "#imports";
+import { createError, defineEventHandler, getHeaders, getQuery, getRequestIP, getRequestWebStream, readBody, setResponseHeader } from "h3";
 import { useNitroApp } from "nitropack/runtime";
 import {
-  SENSITIVE_HEADERS,
   anonymizeIP,
+  mergePrivacy,
   normalizeLanguage,
   normalizeUserAgent,
-  stripPayloadFingerprinting,
   resolvePrivacy,
-  mergePrivacy
+  SENSITIVE_HEADERS,
+  stripPayloadFingerprinting
 } from "./utils/privacy.js";
+const COMPRESSION_RE = /gzip|deflate|br|compress|base64/i;
+const CLIENT_HINT_VERSION_RE = /;v="(\d+)\.[^"]*"/g;
+const SKIP_RESPONSE_HEADERS = /* @__PURE__ */ new Set(["set-cookie", "transfer-encoding", "content-encoding", "content-length"]);
 function stripQueryFingerprinting(query, privacy) {
   const stripped = stripPayloadFingerprinting(query, privacy);
   const params = new URLSearchParams();
@@ -18,11 +21,10 @@ function stripQueryFingerprinting(query, privacy) {
       params.set(key, typeof value === "object" ? JSON.stringify(value) : String(value));
     }
   }
-  return params.toString();
+  return { queryString: params.toString(), stripped };
 }
 export default defineEventHandler(async (event) => {
   const config = useRuntimeConfig();
-  const nitro = useNitroApp();
   const proxyConfig = config["nuxt-scripts-proxy"];
   if (!proxyConfig) {
     throw createError({
@@ -30,72 +32,79 @@ export default defineEventHandler(async (event) => {
       statusMessage: "First-party proxy not configured"
     });
   }
-  const { routes, privacy: globalPrivacy, routePrivacy, debug = import.meta.dev } = proxyConfig;
+  const { proxyPrefix, domainPrivacy, privacy: globalPrivacy, debug = import.meta.dev } = proxyConfig;
   const path = event.path;
   const log = debug ? (message, ...args) => {
     console.debug(message, ...args);
   } : () => {
   };
-  let targetBase;
-  let matchedPrefix;
-  let matchedRoutePattern;
-  const sortedRoutes = Object.entries(routes).sort((a, b) => b[0].length - a[0].length);
-  for (const [routePattern, target] of sortedRoutes) {
-    const prefix = routePattern.replace(/\/\*\*$/, "");
-    if (path.startsWith(prefix)) {
-      targetBase = target.replace(/\/\*\*$/, "");
-      matchedPrefix = prefix;
-      matchedRoutePattern = routePattern;
-      log("[proxy] Matched:", prefix, "->", targetBase);
+  const afterPrefix = path.slice(proxyPrefix.length + 1);
+  const slashIdx = afterPrefix.indexOf("/");
+  const domain = slashIdx > 0 ? afterPrefix.slice(0, slashIdx) : afterPrefix;
+  const remainingPath = slashIdx > 0 ? afterPrefix.slice(slashIdx) : "/";
+  if (!domain) {
+    log("[proxy] No domain in path:", path);
+    throw createError({
+      statusCode: 404,
+      statusMessage: "No proxy domain found",
+      message: `No domain in proxy path: ${path}`
+    });
+  }
+  let perScriptInput;
+  for (const [configDomain, privacyInput] of Object.entries(domainPrivacy)) {
+    if (domain === configDomain || domain.endsWith(`.${configDomain}`)) {
+      perScriptInput = privacyInput;
       break;
     }
   }
-  if (!targetBase || !matchedPrefix || !matchedRoutePattern) {
-    log("[proxy] No match for path:", path);
+  if (perScriptInput === void 0) {
+    log("[proxy] Rejected: domain not in allowlist:", domain);
     throw createError({
-      statusCode: 404,
-      statusMessage: "No proxy route matched",
-      message: `No proxy target found for path: ${path}`
+      statusCode: 403,
+      statusMessage: "Domain not allowed",
+      message: `Proxy domain not in allowlist: ${domain}`
     });
   }
-  const perScriptInput = routePrivacy[matchedRoutePattern];
-  if (debug && perScriptInput === void 0) {
-    log("[proxy] WARNING: No privacy config for route", matchedRoutePattern, "\u2014 defaulting to full anonymization");
-  }
+  const targetBase = `https://${domain}`;
+  log("[proxy] Matched:", domain, "->", targetBase);
   const perScriptResolved = resolvePrivacy(perScriptInput ?? true);
   const privacy = globalPrivacy !== void 0 ? mergePrivacy(perScriptResolved, globalPrivacy) : perScriptResolved;
   const anyPrivacy = privacy.ip || privacy.userAgent || privacy.language || privacy.screen || privacy.timezone || privacy.hardware;
   const originalHeaders = getHeaders(event);
+  const originalQuery = getQuery(event);
   const contentType = originalHeaders["content-type"] || "";
-  const compressionParam = new URL(event.path, "http://localhost").searchParams.get("compression");
+  const compressionParam = originalQuery.compression || "";
   const isBinaryBody = Boolean(
-    originalHeaders["content-encoding"] || contentType.includes("octet-stream") || compressionParam && /gzip|deflate|br|compress|base64/i.test(compressionParam)
+    originalHeaders["content-encoding"] || contentType.includes("octet-stream") || compressionParam && COMPRESSION_RE.test(compressionParam)
   );
-  let targetPath = path.slice(matchedPrefix.length);
-  if (targetPath && !targetPath.startsWith("/")) {
-    targetPath = "/" + targetPath;
-  }
-  let targetUrl = targetBase + targetPath;
+  let targetUrl = targetBase + remainingPath;
+  let strippedQueryRecord;
   if (anyPrivacy) {
-    const query = getQuery(event);
-    if (Object.keys(query).length > 0) {
-      const strippedQuery = stripQueryFingerprinting(query, privacy);
+    if (Object.keys(originalQuery).length > 0) {
+      const { queryString, stripped } = stripQueryFingerprinting(originalQuery, privacy);
+      strippedQueryRecord = stripped;
       const basePath = targetUrl.split("?")[0] || targetUrl;
-      targetUrl = strippedQuery ? `${basePath}?${strippedQuery}` : basePath;
+      targetUrl = queryString ? `${basePath}?${queryString}` : basePath;
     }
   }
   const headers = {};
   for (const [key, value] of Object.entries(originalHeaders)) {
-    if (!value) continue;
+    if (!value)
+      continue;
     const lowerKey = key.toLowerCase();
-    if (SENSITIVE_HEADERS.includes(lowerKey)) continue;
+    if (lowerKey === "host")
+      continue;
+    if (SENSITIVE_HEADERS.includes(lowerKey))
+      continue;
     if (lowerKey === "content-length") {
-      if (anyPrivacy && !isBinaryBody) continue;
+      if (anyPrivacy && !isBinaryBody)
+        continue;
       headers[lowerKey] = value;
       continue;
     }
     if (lowerKey === "x-forwarded-for" || lowerKey === "x-real-ip" || lowerKey === "forwarded" || lowerKey === "cf-connecting-ip" || lowerKey === "true-client-ip" || lowerKey === "x-client-ip" || lowerKey === "x-cluster-client-ip") {
-      if (privacy.ip) continue;
+      if (privacy.ip)
+        continue;
       headers[lowerKey] = value;
       continue;
     }
@@ -108,11 +117,12 @@ export default defineEventHandler(async (event) => {
       continue;
     }
     if (lowerKey === "sec-ch-ua" || lowerKey === "sec-ch-ua-full-version-list") {
-      headers[lowerKey] = privacy.hardware ? value.replace(/;v="(\d+)\.[^"]*"/g, ';v="$1"') : value;
+      headers[lowerKey] = privacy.hardware ? value.replace(CLIENT_HINT_VERSION_RE, ';v="$1"') : value;
       continue;
     }
     if (lowerKey === "sec-ch-ua-platform-version" || lowerKey === "sec-ch-ua-arch" || lowerKey === "sec-ch-ua-model" || lowerKey === "sec-ch-ua-bitness") {
-      if (privacy.hardware) continue;
+      if (privacy.hardware)
+        continue;
       headers[lowerKey] = value;
       continue;
     }
@@ -134,7 +144,6 @@ export default defineEventHandler(async (event) => {
   let rawBody;
   let passthroughBody = false;
   const method = event.method?.toUpperCase();
-  const originalQuery = getQuery(event);
   const isWriteMethod = method === "POST" || method === "PUT" || method === "PATCH";
   if (isWriteMethod) {
     if (isBinaryBody || !anyPrivacy) {
@@ -149,36 +158,50 @@ export default defineEventHandler(async (event) => {
         } else if (typeof rawBody === "object") {
           body = stripPayloadFingerprinting(rawBody, privacy);
         } else if (typeof rawBody === "string") {
-          if (rawBody.startsWith("{") || rawBody.startsWith("[")) {
-            let parsed = null;
-            try {
-              parsed = JSON.parse(rawBody);
-            } catch {
-            }
-            if (Array.isArray(parsed)) {
-              body = parsed.map(
-                (item) => item && typeof item === "object" && !Array.isArray(item) ? stripPayloadFingerprinting(item, privacy) : item
-              );
-            } else if (parsed && typeof parsed === "object") {
-              body = stripPayloadFingerprinting(parsed, privacy);
-            } else {
-              body = rawBody;
-            }
-          } else if (contentType.includes("application/x-www-form-urlencoded")) {
+          if (contentType.includes("application/x-www-form-urlencoded")) {
             const params = new URLSearchParams(rawBody);
             const obj = {};
-            params.forEach((value, key) => {
-              obj[key] = value;
-            });
+            for (const [key, value] of params.entries()) {
+              if (key in obj) {
+                const existing = obj[key];
+                obj[key] = Array.isArray(existing) ? [...existing, value] : [existing, value];
+              } else {
+                obj[key] = value;
+              }
+            }
             const stripped = stripPayloadFingerprinting(obj, privacy);
-            const stringified = {};
+            const out = new URLSearchParams();
             for (const [k, v] of Object.entries(stripped)) {
-              if (v === void 0 || v === null) continue;
-              stringified[k] = typeof v === "string" ? v : JSON.stringify(v);
+              if (v === void 0 || v === null)
+                continue;
+              if (Array.isArray(v)) {
+                for (const item of v)
+                  out.append(k, typeof item === "string" ? item : JSON.stringify(item));
+              } else {
+                out.append(k, typeof v === "string" ? v : JSON.stringify(v));
+              }
             }
-            body = new URLSearchParams(stringified).toString();
+            body = out.toString();
           } else {
-            body = rawBody;
+            const maybeJson = contentType.includes("json") || (rawBody.startsWith("{") || rawBody.startsWith("["));
+            if (maybeJson) {
+              let parsed = null;
+              try {
+                parsed = JSON.parse(rawBody);
+              } catch {
+              }
+              if (Array.isArray(parsed)) {
+                body = parsed.map(
+                  (item) => item && typeof item === "object" && !Array.isArray(item) ? stripPayloadFingerprinting(item, privacy) : item
+                );
+              } else if (parsed && typeof parsed === "object") {
+                body = stripPayloadFingerprinting(parsed, privacy);
+              } else {
+                body = rawBody;
+              }
+            } else {
+              body = rawBody;
+            }
           }
         } else {
           body = rawBody;
@@ -186,6 +209,7 @@ export default defineEventHandler(async (event) => {
       }
     }
   }
+  const nitro = useNitroApp();
   await nitro.hooks.callHook("nuxt-scripts:proxy", {
     timestamp: Date.now(),
     path: event.path,
@@ -200,7 +224,7 @@ export default defineEventHandler(async (event) => {
     },
     stripped: {
       headers,
-      query: anyPrivacy ? stripPayloadFingerprinting(originalQuery, privacy) : originalQuery,
+      query: strippedQueryRecord ?? originalQuery,
       body: passthroughBody ? "<passthrough>" : body ?? null
     }
   });
@@ -226,24 +250,18 @@ export default defineEventHandler(async (event) => {
       duplex: passthroughBody ? "half" : void 0
     });
   } catch (err) {
-    clearTimeout(timeoutId);
-    log("[proxy] Fetch error:", err instanceof Error ? err.message : err);
-    if (path.includes("/collect") || path.includes("/tr") || path.includes("/events")) {
-      event.node.res.statusCode = 204;
-      return "";
-    }
-    const isTimeout = err instanceof Error && (err.message.includes("aborted") || err.message.includes("timeout"));
+    log("[proxy] Upstream error:", err);
     throw createError({
-      statusCode: isTimeout ? 504 : 502,
-      statusMessage: isTimeout ? "Upstream timeout" : "Bad Gateway",
-      message: "Failed to reach upstream"
+      statusCode: 502,
+      statusMessage: "Bad Gateway",
+      message: `Proxy upstream request failed: ${targetUrl}`
     });
+  } finally {
+    clearTimeout(timeoutId);
   }
-  clearTimeout(timeoutId);
   log("[proxy] Response:", response.status, response.statusText);
-  const skipHeaders = ["set-cookie", "transfer-encoding", "content-encoding", "content-length"];
   response.headers.forEach((value, key) => {
-    if (!skipHeaders.includes(key.toLowerCase())) {
+    if (!SKIP_RESPONSE_HEADERS.has(key.toLowerCase())) {
       setResponseHeader(event, key, value);
     }
   });

package/dist/runtime/server/utils/image-proxy.d.ts

@@ -0,0 +1,12 @@
+export interface ImageProxyConfig {
+    allowedDomains: string[] | ((hostname: string) => boolean);
+    accept?: string;
+    userAgent?: string;
+    cacheMaxAge?: number;
+    contentType?: string;
+    /** Follow redirects (default: true). Set to false to reject redirects (SSRF protection). */
+    followRedirects?: boolean;
+    /** Decode & in URL query parameter */
+    decodeAmpersands?: boolean;
+}
+export declare function createImageProxyHandler(config: ImageProxyConfig): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;

package/dist/runtime/server/utils/image-proxy.js

@@ -0,0 +1,70 @@
+import { createError, defineEventHandler, getQuery, setHeader } from "h3";
+import { $fetch } from "ofetch";
+const AMP_RE = /&/g;
+export function createImageProxyHandler(config) {
+  const {
+    accept = "image/webp,image/jpeg,image/png,image/*,*/*;q=0.8",
+    userAgent,
+    cacheMaxAge = 3600,
+    contentType = "image/jpeg",
+    followRedirects = true,
+    decodeAmpersands = false
+  } = config;
+  return defineEventHandler(async (event) => {
+    const query = getQuery(event);
+    let url = query.url;
+    if (decodeAmpersands && url)
+      url = url.replace(AMP_RE, "&");
+    if (!url) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Image URL is required"
+      });
+    }
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(url);
+    } catch {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Invalid image URL"
+      });
+    }
+    if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Invalid URL scheme"
+      });
+    }
+    const domainAllowed = typeof config.allowedDomains === "function" ? config.allowedDomains(parsedUrl.hostname) : config.allowedDomains.includes(parsedUrl.hostname);
+    if (!domainAllowed) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Domain not allowed"
+      });
+    }
+    const headers = { Accept: accept };
+    if (userAgent)
+      headers["User-Agent"] = userAgent;
+    const response = await $fetch.raw(url, {
+      timeout: 5e3,
+      redirect: followRedirects ? "follow" : "manual",
+      ignoreResponseError: !followRedirects,
+      headers
+    }).catch((error) => {
+      throw createError({
+        statusCode: error.statusCode || 500,
+        statusMessage: error.statusMessage || "Failed to fetch image"
+      });
+    });
+    if (!followRedirects && response.status >= 300 && response.status < 400) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: "Redirects not allowed"
+      });
+    }
+    setHeader(event, "Content-Type", response.headers.get("content-type") || contentType);
+    setHeader(event, "Cache-Control", `public, max-age=${cacheMaxAge}, s-maxage=${cacheMaxAge}`);
+    return response._data;
+  });
+}

package/dist/runtime/server/utils/privacy.d.ts

@@ -20,7 +20,7 @@ export interface ProxyPrivacy {
  * Privacy input: `true` = full anonymize, `false` = passthrough (still strips sensitive headers),
  * or a `ProxyPrivacy` object for granular control (unset flags default to `false` — opt-in).
  */
-export type ProxyPrivacyInput = boolean | ProxyPrivacy | null;
+export type ProxyPrivacyInput = boolean | ProxyPrivacy;
 /** Resolved privacy with all flags explicitly set. */
 export type ResolvedProxyPrivacy = Required<ProxyPrivacy>;
 /**
@@ -71,7 +71,6 @@ export declare const STRIP_PARAMS: {
     browserVersion: string[];
     browserData: string[];
     location: string[];
-    canvas: string[];
     deviceInfo: string[];
 };
 /**
@@ -130,12 +129,4 @@ export declare function generalizeTimezone(value: unknown): string | number;
  * (timezone, language, screen dimensions) while keeping low-entropy values.
  */
 export declare function anonymizeDeviceInfo(value: string): string;
-/**
- * Recursively anonymize fingerprinting data in payload.
- * Fields are generalized or normalized rather than stripped, so endpoints
- * still receive valid data with reduced fingerprinting precision.
- *
- * When `privacy` is provided, only categories with their flag set to `true` are processed.
- * Default (no arg) = all categories active, so existing callers work unchanged.
- */
 export declare function stripPayloadFingerprinting(payload: Record<string, unknown>, privacy?: ResolvedProxyPrivacy): Record<string, unknown>;

package/dist/runtime/server/utils/privacy.js

@@ -1,8 +1,17 @@
 const FULL_PRIVACY = { ip: true, userAgent: true, language: true, screen: true, timezone: true, hardware: true };
 const NO_PRIVACY = { ip: false, userAgent: false, language: false, screen: false, timezone: false, hardware: false };
+const MAJOR_VERSION_RE = /^(\d+)/;
+const VERSION_RE = /^(\d+)(([.\-_])\d+)*/;
+const VERSION_SPLIT_RE = /[.\-_]/;
+const SNAPCHAT_VERSION_RE = /("version"\s*:\s*")(\d+(?:\.\d+)*)/g;
+const GA_VERSION_RE = /;(\d+(?:\.\d+)*)/g;
+const UPPERCASE_RE = /^[A-Z]/;
+const LANG_CODE_RE = /^[a-z]{2}(?:-[a-z]{2,})?$/i;
 export function resolvePrivacy(input) {
-  if (input === true) return { ...FULL_PRIVACY };
-  if (input === false || input === void 0 || input === null) return { ...NO_PRIVACY };
+  if (input === true)
+    return { ...FULL_PRIVACY };
+  if (input === false || input === void 0)
+    return { ...NO_PRIVACY };
   return {
     ip: input.ip ?? false,
     userAgent: input.userAgent ?? false,
@@ -13,8 +22,10 @@ export function resolvePrivacy(input) {
   };
 }
 export function mergePrivacy(base, override) {
-  if (override === void 0 || override === null) return base;
-  if (typeof override === "boolean") return resolvePrivacy(override);
+  if (override === void 0)
+    return base;
+  if (typeof override === "boolean")
+    return resolvePrivacy(override);
   return {
     ip: override.ip !== void 0 ? override.ip : base.ip,
     userAgent: override.userAgent !== void 0 ? override.userAgent : base.userAgent,
@@ -67,11 +78,13 @@ export const STRIP_PARAMS = {
   // Browser version lists — generalized to major versions (d_bvs = Snapchat, uafvl = GA Client Hints)
   browserVersion: ["d_bvs", "uafvl"],
   // Browser data lists — replaced with empty value
-  browserData: ["plugins", "fonts"],
+  browserData: ["plugins", "fonts", "audiofingerprint"],
   // Location/Timezone — generalized
   location: ["tz", "timezone", "timezoneoffset"],
-  // Canvas/WebGL/Audio fingerprints — replaced with empty value (pure fingerprints, no analytics value)
-  canvas: ["canvas", "webgl", "audiofingerprint"],
+  // Canvas/WebGL fingerprints — neutralized at build time via AST rewriting (rewrite-ast.ts).
+  // These params are no longer stripped at runtime; the source APIs (toDataURL, WEBGL_debug_renderer_info)
+  // are neutralized before the script ever runs.
+  // canvas: ['canvas', 'webgl'],
   // Combined device fingerprinting (X/Twitter dv param contains: timezone, locale, vendor, platform, screen, etc.)
   deviceInfo: ["dv", "device_info", "deviceinfo"]
 };
@@ -81,7 +94,7 @@ export const NORMALIZE_PARAMS = {
 };
 export function anonymizeIP(ip) {
   if (ip.includes(":")) {
-    return ip.split(":").slice(0, 3).join(":") + "::";
+    return `${ip.split(":").slice(0, 3).join(":")}::`;
   }
   const parts = ip.split(".");
   if (parts.length === 4) {
@@ -103,7 +116,7 @@ export function normalizeUserAgent(ua) {
     const idx = ua.indexOf(pattern);
     if (idx !== -1) {
       const versionStart = idx + pattern.length;
-      const majorVersion = ua.slice(versionStart).match(/^(\d+)/)?.[1];
+      const majorVersion = ua.slice(versionStart).match(MAJOR_VERSION_RE)?.[1];
       if (majorVersion)
         return `Mozilla/5.0 (compatible; ${family}/${majorVersion}.0)`;
     }
@@ -119,8 +132,10 @@ const SCREEN_BUCKETS = {
   mobile: { w: 360, h: 640 }
 };
 function getDeviceClass(width) {
-  if (width >= 1200) return "desktop";
-  if (width >= 700) return "tablet";
+  if (width >= 1200)
+    return "desktop";
+  if (width >= 700)
+    return "tablet";
   return "mobile";
 }
 export function generalizeScreen(value, dimension) {
@@ -139,31 +154,38 @@ export function generalizeScreen(value, dimension) {
 }
 export function generalizeHardware(value) {
   const num = typeof value === "number" ? value : Number(value);
-  if (Number.isNaN(num)) return 4;
-  if (num >= 16) return 16;
-  if (num >= 8) return 8;
-  if (num >= 4) return 4;
+  if (Number.isNaN(num))
+    return 4;
+  if (num >= 16)
+    return 16;
+  if (num >= 8)
+    return 8;
+  if (num >= 4)
+    return 4;
   return 2;
 }
 export function generalizeVersion(value) {
-  if (typeof value !== "string") return String(value);
-  const match = value.match(/^(\d+)(([.\-_])\d+)*/);
-  if (!match) return String(value);
+  if (typeof value !== "string")
+    return String(value);
+  const match = value.match(VERSION_RE);
+  if (!match)
+    return String(value);
   const major = match[1];
   const sep = match[3] || ".";
-  const segmentCount = value.split(/[.\-_]/).length;
-  return major + (sep + "0").repeat(segmentCount - 1);
+  const segmentCount = value.split(VERSION_SPLIT_RE).length;
+  return major + `${sep}0`.repeat(segmentCount - 1);
 }
 export function generalizeBrowserVersions(value) {
-  if (typeof value !== "string") return String(value);
+  if (typeof value !== "string")
+    return String(value);
   const zeroSegments = (ver) => {
     const parts = ver.split(".");
     return parts[0] + parts.slice(1).map(() => ".0").join("");
   };
   if (value.includes('"version"'))
-    return value.replace(/("version"\s*:\s*")(\d+(?:\.\d+)*)/g, (_, prefix, ver) => prefix + zeroSegments(ver));
+    return value.replace(SNAPCHAT_VERSION_RE, (_, prefix, ver) => prefix + zeroSegments(ver));
   if (value.includes(";"))
-    return value.replace(/;(\d+(?:\.\d+)*)/g, (_, ver) => ";" + zeroSegments(ver));
+    return value.replace(GA_VERSION_RE, (_, ver) => `;${zeroSegments(ver)}`);
   return value;
 }
 export function generalizeTimezone(value) {
@@ -178,15 +200,16 @@ export function generalizeTimezone(value) {
 export function anonymizeDeviceInfo(value) {
   const sep = value.includes("|") ? "|" : "&";
   const parts = value.split(sep);
-  if (parts.length < 4) return value;
+  if (parts.length < 4)
+    return value;
   const result = [...parts];
   for (let i = 0; i < parts.length; i++) {
     const part = parts[i];
-    if (part.includes("/") && /^[A-Z]/.test(part)) {
+    if (part.includes("/") && UPPERCASE_RE.test(part)) {
       result[i] = String(generalizeTimezone(part));
       continue;
     }
-    if (/^[a-z]{2}(?:-[a-z]{2,})?$/i.test(part)) {
+    if (LANG_CODE_RE.test(part)) {
       result[i] = normalizeLanguage(part);
       continue;
     }
@@ -209,6 +232,13 @@ export function anonymizeDeviceInfo(value) {
   }
   return result.join(sep);
 }
+function matchesParam(key, params) {
+  const lk = key.toLowerCase();
+  return params.some((pm) => {
+    const lp = pm.toLowerCase();
+    return lk === lp || lk.startsWith(`${lp}[`);
+  });
+}
 export function stripPayloadFingerprinting(payload, privacy) {
   const p = privacy || FULL_PRIVACY;
   const result = {};
@@ -216,18 +246,12 @@ export function stripPayloadFingerprinting(payload, privacy) {
   for (const [key, value] of Object.entries(payload)) {
     if (key.toLowerCase() === "sw") {
       const num = typeof value === "number" ? value : Number(value);
-      if (!Number.isNaN(num)) deviceClass = getDeviceClass(num);
+      if (!Number.isNaN(num))
+        deviceClass = getDeviceClass(num);
     }
   }
   for (const [key, value] of Object.entries(payload)) {
     const lowerKey = key.toLowerCase();
-    const matchesParam = (key2, params) => {
-      const lk = key2.toLowerCase();
-      return params.some((pm) => {
-        const lp = pm.toLowerCase();
-        return lk === lp || lk.startsWith(lp + "[");
-      });
-    };
     const isLanguageParam = NORMALIZE_PARAMS.language.some((pm) => lowerKey === pm.toLowerCase());
     if (isLanguageParam) {
       if (Array.isArray(value)) {
@@ -264,7 +288,7 @@ export function stripPayloadFingerprinting(payload, privacy) {
       continue;
     }
     if (matchesParam(key, STRIP_PARAMS.hardware)) {
-      result[key] = p.screen ? generalizeHardware(value) : value;
+      result[key] = p.hardware ? generalizeHardware(value) : value;
       continue;
     }
     if (matchesParam(key, STRIP_PARAMS.version)) {
@@ -280,11 +304,7 @@ export function stripPayloadFingerprinting(payload, privacy) {
       continue;
     }
     if (matchesParam(key, STRIP_PARAMS.browserData)) {
-      result[key] = p.hardware ? Array.isArray(value) ? [] : "" : value;
-      continue;
-    }
-    if (matchesParam(key, STRIP_PARAMS.canvas)) {
-      result[key] = p.hardware ? typeof value === "number" ? 0 : typeof value === "object" ? {} : "" : value;
+      result[key] = p.hardware ? Array.isArray(value) ? [] : typeof value === "number" ? 0 : "" : value;
       continue;
     }
     if (matchesParam(key, STRIP_PARAMS.deviceInfo)) {