@SARAVANA1501 opened this Issue on June 17th 2020

We are hosting Matomo behind gateway service, which is capable of exposing part of matomo endpoint to internet. We need to authenticate every request by certain custom header. The token is available in website cookie which we are trying to track. Is it possible to add that token or key in every request made by matomojs?

@tsteur commented on June 17th 2020 Member

@SARAVANA1501 you mean in the JS tracking request (going eg to matomo.php endpoint?)

@SARAVANA1501 commented on June 17th 2020

Yeah

@tsteur commented on June 17th 2020 Member

That's not possible just yet unless you manage to intercept these any XmlHttpRequest or maybe using service workers. Alternatively, you could create a PR that adds this feature.

@SARAVANA1501 commented on June 17th 2020

If provide a some technical detail to begin, I am glad to start.

@tsteur commented on June 17th 2020 Member

It's hard to give much technical detail there. Basically, you want to look at the js/piwik.js file.

Add some public method that can be called similar to how this.trackEvent = function (category, action, name, value, customData, callback) { is currently defined.

eg this.setCustomRequestHeader(name, value).

You'd store this in a say configCustomHeaders[name] = value.

These custom headers you would need apply to the method in sendPostRequestViaSendBeacon and sendXmlHttpRequest.

To have this working you would also need to force using POST requests by calling _paq.push(['setRequestMethod', 'POST']).

You would later configure the headers like _paq.push(['setCustomRequestHeader', 'name', 'value...']);

@Findus23 @mattab do we see any issues with allowing people to send custom headers? I suppose if there's an XSS on the site or ad blockers they could configure any random custom headers but I suppose they could also just send the XmlHttpRequest to the Matomo directly if they wanted in that case.

Wondering if this was maybe better done in a custom tracker plugin see https://developer.matomo.org/guides/enrich-js-tracker in which case I would give you different instructions @SARAVANA1501

Powered by GitHub Issue Mirror