umami icon indicating copy to clipboard operation
umami copied to clipboard
Published 1 month ago verified publisher icon umami-software

Add "Access-Control-Allow-Origin" header for tracker script.

Open peter-adam-dy opened this issue 1 year ago • 1 comments

This addresses the issue https://github.com/umami-software/umami/issues/2958 and will support Partytown.

Motivation

The suggested changes of this PR will make Umami work with Partytown.

Context

Partytown is a library that can execute scripts inside a web worker. It was created with the idea in mind, to improve website loading and metrics/scores (e.g. execute Google Analytics in a web worker instead of the main thread).

Partytown uses a web worker to execute scripts in it – and prevent them to be executed in the main thread. Partytown "detects" scripts to be executed in that web worker by type="text/partytown". An example tag:

<script type="text/partytown" src="http://localhost:3000/script.js" data-website-id="c42b9def-dbdf-4066-a3c4-efd8908bc7d6"> </script>

As explained here 🔗, Partytown uses fetch to request the script respectively its content.

Problem

The problem with Partytown and Umami currently is, that the script.js tracker script is not served with an Access-Control-Allow-Origin header.

This is valid and fine for when it's used via <script src=".../script.js" data-website-id="..."></script> without Partytown.

Browsers load such assets without the presence of the Access-Control-Allow-Origin header.

But whenever something is fetched via XmlHttpRequest or fetch, the Access-Control-Allow-Origin header must be present.

The presence of the header for the script.js tracker script would make Umami work with Partytown.

Scope

The scope of this PR is mainly about adding the Access-Control-Allow-Origin header for the script.js asset and all its alternative paths defined via TRACKER_SCRIPT_NAME.

Proposal

This PR is a suggestion to extend the Next.js config by:

  • adding the Access-Control-Allow-Origin header with value * for script.js
  • adding the Access-Control-Allow-Origin header with value * for all alternative tracker script paths defined via the environment variable TRACKER_SCRIPT_NAME

peter-adam-dy avatar Sep 16 '24 12:09 peter-adam-dy

@peter-kuhmann is attempting to deploy a commit to the umami-software Team on Vercel.

A member of the Team first needs to authorize it.

vercel[bot] avatar Sep 16 '24 12:09 vercel[bot]