fix(embed): use document.referrer origin for host_application

[Kwame Yeboah (Yeboahmedia)]

User description

Problem

The host_application metadata field always reports https://cdn.smileidentity.com for hosted embed traffic, because window.location inside the iframe is the CDN host, not the partner site that loaded us.

Fix

Use `document.referrer` (parsed via `URL` to keep just the origin) as the source for `host_application`, falling back to the iframe's own origin when the referrer is empty (parent set `Referrer-Policy: no-referrer`, privacy extensions, direct loads in dev).

Under the modern browser default (`strict-origin-when-cross-origin`), `document.referrer` already gives us the origin only — exactly what we want for this telemetry field — so partners don't need to change anything for this to start working.

Coverage expectation

• ~95–99% of loads: real partner origin (e.g. `https://partner.com\`)
• ~1–5%: falls back to self-origin (referrer suppressed by parent policy or extensions)

Notes

• Origin-only by design: we wrap with `new URL(referrer).origin` so even if a partner ships an unsafe-url policy we don't accidentally start storing paths/queries in metadata.
• Captured once at `initializeMetadata` time (existing behaviour), so in-iframe navigation can't overwrite it with a stale value.

---

PR Type

Bug fix

---

Description

• Use document.referrer origin for host_application metadata

• Fixes iframe always reporting CDN host instead of partner site

• Falls back to self-origin when referrer is unavailable

• Strips paths/queries via new URL().origin for privacy

---

Diagram Walkthrough

flowchart LR
  A["document.referrer"] -- "available" --> B["new URL(referrer).origin"]
  A -- "empty/invalid" --> C["self-origin fallback"]
  B --> D["host_application metadata"]
  C --> D

Loading

File Walkthrough

	Relevant files
Bug fix	index.js Derive host_application from document.referrer origin        packages/embed/src/js/metadata/index.js Added getHostApplication() helper function that reads document.referrer and extracts the origin Falls back to window.location protocol+hostname when referrer is empty or URL parsing fails Replaced inline hostApplication assignment in initializeMetadata with call to getHostApplication() +16/-2
Documentation	CHANGELOG.md Add changelog entry for host_application fix                          CHANGELOG.md Added changelog entry under [Unreleased] describing the host_application metadata source change +4/-0

---

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[prfectionist]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🏅 Score: 92

🧪 No relevant tests

🔒 Security concerns No. The document.referrer value is used only for telemetry metadata, and the code explicitly strips paths/queries via new URL().origin. While document.referrer can be influenced by the parent page, this is acceptable for analytics purposes and no sensitive data is exposed.

🔀 No multiple PR themes

⚡ Recommended focus areas for review Referrer Spoofing document.referrer can be spoofed by the embedding page (e.g., via meta tags or header manipulation). If host_application is used for any access-control, billing, or trust decisions downstream, this could be a concern. Verify that this field is used purely for telemetry/analytics and not for authorization purposes. if (document.referrer) { try { return new URL(document.referrer).origin; } catch { // fall through to self-origin fallback } }

[github-actions]

🔍 Semgrep Security Scan Results

✅ No security findings detected by p/security-audit ruleset.

[prfectionist]

PR Code Suggestions ✨

No code suggestions found for the PR.

[Copilot]

Pull request overview

This PR fixes embed telemetry so host_application reflects the parent page’s origin (the site embedding the iframe) instead of always reporting the iframe/CDN origin.

Changes:

• Add a getHostApplication() helper that derives host_application from document.referrer (origin-only) with a fallback when referrer is unavailable.
• Update initializeMetadata() to use the new helper for host_application.
• Document the behavior change in CHANGELOG.md.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
packages/embed/src/js/metadata/index.js	Switch host_application derivation from iframe location to referrer origin via a helper.
CHANGELOG.md	Add an Unreleased entry describing the host_application source change for embed.

[github-actions]

This branch has been deployed to s3 / cloudfront.

✅ Preview URL for Smart Camera Web:

https://cdn.smileidentity.com/js/preview-referer-host-application/smart-camera-web.js

✅ Preview URL for Embed:

https://cdn.smileidentity.com/inline/preview-referer-host-application/js/script.min.js

✅ Preview URL for Web Client (Sandbox):

https://d2l9sy466fppw.cloudfront.net

✅ Preview URL for Web Client (Production):

https://d3skarw1cepbu8.cloudfront.net

[github-actions]

This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[Kwame Yeboah (Yeboahmedia)]

Copilot resolve the merge conflicts in this pull request

[Copilot]

Copilot resolve the merge conflicts in this pull request

Merge conflicts are resolved in commit 6286602.