Skip to content

GPT integration#282

Open
ChristianPavilonis wants to merge 8 commits intomainfrom
feature/gpt-integration
Open

GPT integration#282
ChristianPavilonis wants to merge 8 commits intomainfrom
feature/gpt-integration

Conversation

@ChristianPavilonis
Copy link
Collaborator

@ChristianPavilonis ChristianPavilonis commented Feb 10, 2026
edited
Loading

What this does
Proxies gpt.js script and additional scripts loaded by gpt.js that do the heavy lifting for ad calls for google.

Change Summary

  • Add a new GPT (Google Publisher Tags) integration that proxies the entire GPT script cascade through the publisher's first-party domain, eliminating third-party script loads to securepubads.g.doubleclick.net
  • Server-side: Rust module with HTML attribute rewriting, bootstrap script serving (/integrations/gpt/script), and wildcard proxy endpoints (/pagead/, /tag/) that serve Google's scripts verbatim
  • Client-side: TypeScript script guard with six interception layers (document.write, src property descriptor, setAttribute, createElement, DOM insertion patches, MutationObserver) to catch and rewrite all dynamically inserted GPT scripts back through the proxy
  • Includes a googletag.cmd command queue patch as a hook point for future synthetic ID targeting injection and consent gating
  • Adds integration documentation, unit tests (Rust + TypeScript), and default config in trusted-server.toml

Closes #227

Verifying GPT Script Proxying in the Browser
To confirm that GPT scripts are being proxied through the trusted server domain:

  1. Open DevTools > Network tab on a page with GPT ads
  2. Filter by JS or search for gpt
  3. Look for requests to your publisher domain (e.g. publisher.com/integrations/gpt/script and publisher.com/integrations/gpt/pagead/...) instead of securepubads.g.doubleclick.net
  4. Proxied responses will include the response headers X-GPT-Proxy: true and X-Script-Source:
  5. In the Console tab, look for log messages prefixed with GPT guard: confirming the interception layers are active (e.g. "GPT guard: rewriting document.write script src")

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 10, 2026
View reviewed changes
crates/js/lib/src/integrations/gpt/script_guard.ts Outdated

/** Google ad-serving domains whose URLs should be proxied (exact match). */
const GPT_DOMAINS = [
'securepubads.g.doubleclick.net',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'doubleclick.net', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
/** Google ad-serving domains whose URLs should be proxied (exact match). */
const GPT_DOMAINS = [
'securepubads.g.doubleclick.net',
'pagead2.googlesyndication.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googlesyndication.com', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
const GPT_DOMAINS = [
'securepubads.g.doubleclick.net',
'pagead2.googlesyndication.com',
'tpc.googlesyndication.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googlesyndication.com', so it might match more hosts than expected.

Copilot Autofix

AI 4 days ago

In general, to avoid incomplete hostname regular expressions, any string used to build a regex should be run through a generic “escape for regex literal” function that escapes all regex metacharacters, not only dots. This ensures future additions to GPT_DOMAINS cannot accidentally introduce patterns that match more than the literal hostname.

Concretely, in crates/js/lib/src/integrations/gpt/script_guard.ts, the fallback block in rewriteUrl currently builds the regex with:

new RegExp(`https?://(?:www\\.)?${domain.replace(/\./g, '\\.')}`, 'i')

This manually escapes only dots in domain. Replace this with a helper escapeRegex (defined in this file) that escapes every regex metacharacter: \ ^ $ * + ? . ( ) | { } [ ]. Use that helper both for domain and for any other future regex constructions based on literal strings if needed. The change is localized to this file: add the helper function (near the top, after constants or helpers) and change the new RegExp(...) call to use escapeRegex(domain) instead of domain.replace(/\./g, '\\.'). No behavior changes for current values, but it becomes robust and satisfies the security rule.

Suggested changeset 1
crates/js/lib/src/integrations/gpt/script_guard.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/crates/js/lib/src/integrations/gpt/script_guard.ts b/crates/js/lib/src/integrations/gpt/script_guard.ts
--- a/crates/js/lib/src/integrations/gpt/script_guard.ts
+++ b/crates/js/lib/src/integrations/gpt/script_guard.ts
@@ -54,6 +54,13 @@
 /** Integration route prefix on the first-party domain. */
 const PROXY_PREFIX = '/integrations/gpt';
 
+/**
+ * Escape a string so it can be safely used inside a RegExp literal.
+ */
+function escapeRegex(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 // ---------------------------------------------------------------------------
 // URL matching and rewriting
 // ---------------------------------------------------------------------------
@@ -98,7 +105,7 @@
       if (lower.includes(domain)) {
         const prefix = hostPrefixForDomain(domain);
         return originalUrl.replace(
-          new RegExp(`https?://(?:www\\.)?${domain.replace(/\./g, '\\.')}`, 'i'),
+          new RegExp(`https?://(?:www\\.)?${escapeRegex(domain)}`, 'i'),
           `${window.location.protocol}//${window.location.host}${PROXY_PREFIX}${prefix}`,
         );
       }
EOF
@@ -54,6 +54,13 @@
/** Integration route prefix on the first-party domain. */
const PROXY_PREFIX = '/integrations/gpt';

/**
* Escape a string so it can be safely used inside a RegExp literal.
*/
function escapeRegex(value: string): string {
return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

// ---------------------------------------------------------------------------
// URL matching and rewriting
// ---------------------------------------------------------------------------
@@ -98,7 +105,7 @@
if (lower.includes(domain)) {
const prefix = hostPrefixForDomain(domain);
return originalUrl.replace(
new RegExp(`https?://(?:www\\.)?${domain.replace(/\./g, '\\.')}`, 'i'),
new RegExp(`https?://(?:www\\.)?${escapeRegex(domain)}`, 'i'),
`${window.location.protocol}//${window.location.host}${PROXY_PREFIX}${prefix}`,
);
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
'pagead2.googlesyndication.com',
'tpc.googlesyndication.com',
'googletagservices.com',
'www.googletagservices.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googletagservices.com', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
'tpc.googlesyndication.com',
'googletagservices.com',
'www.googletagservices.com',
'cm.g.doubleclick.net',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'doubleclick.net', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
'cm.g.doubleclick.net',
'ep1.adtrafficquality.google',
'ep2.adtrafficquality.google',
'www.googleadservices.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googleadservices.com', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

@ChristianPavilonis ChristianPavilonis linked an issue Feb 11, 2026 that may be closed by this pull request
As publisher I want to host GPT script in publisher domain #227
Open
@ChristianPavilonis
Copy link
Collaborator Author

ChristianPavilonis commented Feb 11, 2026

We should consider the scope of this integration.

Currently this is doing a lot of rewriting and proxying it's not catching everything but many scripts and 3rd party calls are proxied through the 1st party context.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 12, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 12, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 12, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 13, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 13, 2026
View reviewed changes
@ChristianPavilonis ChristianPavilonis marked this pull request as ready for review February 13, 2026 18:18
aram356
aram356 requested changes Feb 16, 2026
View reviewed changes
crates/common/src/integrations/gpt.rs Outdated
.with_header(
header::CACHE_CONTROL,
format!(
"public, max-age={}, immutable",
Copy link
Collaborator

@aram356 aram356 Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 We should not be setting immutable.

Related to #309 and #310

crates/common/src/integrations/gpt.rs Outdated
),
)
.with_header("X-GPT-Proxy", "true")
.with_header("X-Script-Source", script_url)
Copy link
Collaborator

@aram356 aram356 Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓ Do we need to pass back X-Script-Source all the time

crates/js/lib/src/integrations/gpt/index.ts Outdated
function patchCommandQueue(tag: Partial<GoogleTag>): void {
const pending = Array.isArray(tag.cmd) ? [...tag.cmd] : [];
const queue: Array<() => void> = [];
tag.cmd = queue;
Copy link
Collaborator

@aram356 aram356 Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 tag.cmd = queue replaces the googletag.cmd object. If GPT is already loaded, this can drop GPT’s custom cmd.push behavior (often immediate execution) and cause queued callbacks to stop executing. Please preserve googletag.cmd identity and patch cmd.push in place), then re-wrap any already queued callbacks.

crates/common/src/integrations/gpt.rs
}

fn build(settings: &Settings) -> Option<Arc<GptIntegration>> {
let config = match settings.integration_config::<GptConfig>(GPT_INTEGRATION_ID) {
Copy link
Collaborator

@aram356 aram356 Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 GPT shim self-initializes unconditionally on bundle load. This ignores server integration config ([integrations.gpt].enabled) and can rewrite GPT URLs to /integrations/gpt/* even when GPT proxy routes are not registered, causing failed script loads.

crates/common/src/integrations/gpt.rs
}

#[cfg(test)]
mod tests {
Copy link
Collaborator

@aram356 aram356 Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 Coverage gap: tests in this module validate URL matching/rewriter config, but there are no tests for handle_script_serving (gpt.rs (line 144)) or handle_pagead_proxy (gpt.rs (line 207)). Please add handler-level tests for path/query forwarding, non-2xx upstream behavior, and content-encoding/vary header propagation.

crates/js/lib/src/integrations/gpt/index.ts
* Any commands already queued before the shim loads are re-queued through the
* wrapper so GPT executes them later via its normal queue-drain behavior.
*/
function patchCommandQueue(tag: Partial<GoogleTag>): void {
Copy link
Collaborator

@aram356 aram356 Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 Coverage gap: patchCommandQueue has no direct tests. Please add tests that cover preserving googletag.cmd behavior when GPT is already loaded, idempotent install (no double wrapping), and pending callback wrapping semantics.

crates/js/lib/src/integrations/gpt/index.ts

// Self-initialise on import (guarded for SSR safety)
if (typeof window !== 'undefined') {
installGptShim();
Copy link
Collaborator

@aram356 aram356 Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 Coverage gap: self-init path is untested. Please add tests for enabled/disabled runtime gating and verify we do not install the shim when GPT integration is disabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aram356 aram356 aram356 requested changes

+1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@ChristianPavilonis ChristianPavilonis

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

As publisher I want to host GPT script in publisher domain

2 participants

@ChristianPavilonis @aram356