Service Worker first visit referrer header

Hello everyone,

Recently we, on the Trust team, have been approached to help facilitate analytics and we would like to explain the problem and gather community feedback before implementing a fix since this would need to be implemented in the service worker affecting all dApps served through DFINITY HTTP Gateways.

When a dApp is served from the DFINITY HTTP gateway, on every user’s first visit, a service worker is installed to convert between HTTP calls and the expected API calls, after the service worker gets installed the page is reloaded and transparently loaded to the end user.

However, if the dApp is using an analytics framework to collect metrics, more specifically, from where the users are coming from, then, those frameworks rely on the referrer header which is a forbidden header controlled by the browser and is altered due to the service worker installation page reload behavior.

Due to the fact that the referrer header is controlled by the browser, we don’t have a way to keep it, which skews the metrics for users visiting a dApp for the first time.

We’ve considered the following approaches to enable that first visit referrer use case:

  1. Save the initial referrer header in a cookie __dapp-referrer with an expiration date set to now() + X mins.
  2. Save the initial referrer header value in local storage.
  3. Append the initial referrer header in the query string when the service worker install page reloads.
  4. Do not reload the page and use document.write to rewrite the DOM in the case of HTML content type. The immediate issue with this approach is that we would miss headers that dApps would want to enforce in the browser such as CSP (this could possibly be circumvented by injecting a meta tag but would be a much more intrusive approach).

We favor option 1 with the cookie, it seems to be the least intrusive approach and dApps would be able to leverage this information that should already be there if they have a need for analytics.

Before we implement the above we will check possible implications with Data Privacy Laws such as GDPR and would love to get some of your feedback.