403 double “//” in URL burst-goals.js when Target > Default

  • Resolved jhndkrvzc

    (@jhndkrvzc)


    1 month, 3 weeks ago

    Hi,

    Affected across many pages and multiple sites; URL withheld for privacy.

    We’re seeing a 403 error when the Target > Default (goals.js) option is enabled in Burst Statistics.
    When this option is disabled, there’s no issue. Symptoms

    Browser console shows:

    GET https://www.lesbeauxgarcons.fr/wp-content/plugins/burst-statistics//assets/js/build/burst-goals.js?v=1761223438 net::ERR_ABORTED 403 (Forbidden) Uncaught (in promise) TypeError: Failed to fetch dynamically imported module: https://www.lesbeauxgarcons.fr/wp-content/plugins/burst-statistics//assets/js/build/burst-goals.js?v=1761223438

    Note: the URL contains a double slash in the path (...burst-statistics//assets/...), which triggers a WAF/ModSecurity block on the host (rule type similar to OWASP CRS — Multiple/Consecutive Slashes in URI).

    Steps to reproduce

    1. Activate Burst Statistics.
    2. Enable Target > Default (goals.js).
    3. Load the front end.
    4. Check the network/console: a dynamic import goes to
      /wp-content/plugins/burst-statistics//assets/js/build/burst-goals.js?...403.

    Environment

    • WordPress 6.8.3
    • Theme/Builder: Hello Elementor 3.4.4, Elementor 3.32.5, Elementor Pro 3.32.3
    • Burst Statistics: latest available as of 2025-10-23
    • Hosting with WAF blocking paths containing consecutive slashes

    Likely cause

    In assets/js/build/burst-cookieless.min.js, the module URL is built with a base that already ends with / plus a path that starts with /, producing //:

    import(baseUrl + "/assets/js/build/burst-goals.js") // → results in .../burst-statistics//assets/... Proposed fix (trivial – 1 character)

    Change the imported path to omit the leading slash:

    - import(baseUrl + "/assets/js/build/burst-goals.js") + import(baseUrl + "assets/js/build/burst-goals.js")

    Alternative on the PHP side (if the URL is localized from PHP):

    • keep baseUrl with a trailing slash and provide the path without a leading slash ('assets/js/build/burst-goals.js'),
      or
    • provide baseUrl without the trailing slash and keep "/assets..." in JS.

    Impact

    Many WAFs block paths with //, so the “goals” module fails to load, causing 403s and console noise, and potentially preventing goal functionality. Temporary workarounds

    • Disable Target > Default (goals.js) (not ideal—feature lost).
    • Local one-character patch in burst-cookieless.min.js as shown above (will be overwritten on next update).
    • Ask the host to add a WAF exception for /wp-content/plugins/burst-statistics/assets/ (stop-gap only).

    Thanks in advance for shipping a fix in a future release. Happy to provide network traces and a test login if helpful.

    Best,
    Jehan — kvizion

    • This topic was modified 1 month, 3 weeks ago by jhndkrvzc.
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.