feat: Add GTM (supabase#35567)

* Add third-parties dependency for GTM. Reexport the GTM from the common package.

* Add the TelemetryTagManager to four of the production apps.

* Add the GOOGLE_TAG_MANAGER_ID env var as a turbo dependency to the 4 apps.

* Skip rendering the tag manager if the env var is not set or not running on the platform.

* Fix the prop type to be extracted from the component.

* Add default values for consent to GTM.

* Another try to mimic gtag function.

* Fix a link in www.

* Try another approach.

* try.

* Remove the data-redaction flag.

* Remove extra code.

* Send a sign-up event if GTM is enabled.

* Send only the email to GTM.

* Minor fixes.

* Remove third-parties from pnpm lockfile.

* Lets try to make studio work again.

* Add CSP rules for img loading for GTM.

* Add event for testing.

* Add www.googletagmanager.com to the CSP rules.

* Add Stape to CSP rules.

* Fix stape CSP.

* Clean up the code.

* Remove extra console.log.

* Fix the stape urls for CORS.

* Fix the wrong category for Stape URL.

* Add google ads urls.

* Bump the timeout.

* Add google.com to the img-src for google ads.

* update csp

* remove comment

* update to use google analytics without signals

* add stape to default-src in csp

* move csp to middleware

* add google ads support and fix middleware base path

* remove google tag manager / google ads references from csp. load via stape proxy instead

* add double click url to image src

* add Google Tag Manager URL to CSP configuration

* add ga4 urls to csp

* remove google urls from CSP

---------

Co-authored-by: Alaister Young <[email protected]>

Author: ivasilov

.github/CODEOWNERS

@@ -14,7 +14,7 @@
 
 /docker/ @supabase/dev-workflows
 
-/apps/studio/next.config.js                                         @supabase/security
+/apps/studio/csp.js                                                 @supabase/security
 /apps/studio/components/interfaces/Billing/Payment                  @supabase/security
 /apps/studio/components/interfaces/Organization/BillingSettings/    @supabase/security
 /apps/studio/components/interfaces/Organization/Documents/          @supabase/security

apps/docs/app/layout.tsx

@@ -11,6 +11,7 @@ import { genFaviconData } from 'common/MetaFavicons/app-router'
 import { GlobalProviders } from '~/features/app.providers'
 import { TopNavSkeleton } from '~/layouts/MainSkeleton'
 import { BASE_PATH, IS_PRODUCTION } from '~/lib/constants'
+import { TelemetryTagManager } from 'common'
 
 const metadata: Metadata = {
   applicationName: 'Supabase Docs',
@@ -47,6 +48,7 @@ const RootLayout = ({ children }: { children: React.ReactNode }) => {
   return (
     <html lang="en">
       <body>
+        <TelemetryTagManager />
         <GlobalProviders>
           <TopNavSkeleton>{children}</TopNavSkeleton>
         </GlobalProviders>

apps/docs/turbo.json

@@ -33,6 +33,7 @@
         "NEXT_PUBLIC_AUTH_PERSISTED_KEY",
         "NEXT_PUBLIC_AUTH_NAVIGATOR_LOCK_KEY",
         "NEXT_PUBLIC_AUTH_DETECT_SESSION_IN_URL",
+        "NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID",
         "NEXT_PUBLIC_GOTRUE_URL",
         "NEXT_PUBLIC_SUPABASE_ANON_KEY",
         // These envs are technically passthrough env vars because they're only used on the server side of Nextjs

apps/studio/.gitignore

@@ -37,3 +37,5 @@ yarn-error.log*
 /public/dashboard
 # Sentry Auth Token
 .sentryclirc
+
+certificates

apps/studio/components/ui/GroupsTelemetry.tsx

@@ -8,7 +8,6 @@ import { useSendGroupsIdentifyMutation } from 'data/telemetry/send-groups-identi
 import { useSendGroupsResetMutation } from 'data/telemetry/send-groups-reset-mutation'
 import { usePrevious } from 'hooks/deprecated'
 import { useSelectedOrganization } from 'hooks/misc/useSelectedOrganization'
-import { useAppStateSnapshot } from 'state/app-state'
 import { IS_PLATFORM } from 'lib/constants'
 
 const getAnonId = async (id: string) => {

apps/studio/csp.js

@@ -0,0 +1,187 @@
+const API_URL = process.env.NEXT_PUBLIC_API_URL
+  ? new URL(process.env.NEXT_PUBLIC_API_URL).origin
+  : ''
+const SUPABASE_URL = process.env.SUPABASE_URL ? new URL(process.env.SUPABASE_URL).origin : ''
+const GOTRUE_URL = process.env.NEXT_PUBLIC_GOTRUE_URL
+  ? new URL(process.env.NEXT_PUBLIC_GOTRUE_URL).origin
+  : ''
+const SUPABASE_PROJECTS_URL = 'https://*.supabase.co'
+const SUPABASE_PROJECTS_URL_WS = 'wss://*.supabase.co'
+
+// construct the URL for the Websocket Local URLs
+let SUPABASE_LOCAL_PROJECTS_URL_WS = ''
+if (SUPABASE_URL) {
+  const url = new URL(SUPABASE_URL)
+  const wsUrl = `${url.hostname}:${url.port}`
+  SUPABASE_LOCAL_PROJECTS_URL_WS = `ws://${wsUrl} wss://${wsUrl}`
+}
+
+// Needed to test docs search in local dev
+const SUPABASE_DOCS_PROJECT_URL = process.env.NEXT_PUBLIC_SUPABASE_URL
+  ? new URL(process.env.NEXT_PUBLIC_SUPABASE_URL).origin
+  : ''
+
+// Needed to test docs content API in local dev
+const SUPABASE_CONTENT_API_URL = process.env.NEXT_PUBLIC_CONTENT_API_URL
+  ? new URL(process.env.NEXT_PUBLIC_CONTENT_API_URL).origin
+  : ''
+
+const SUPABASE_STAGING_PROJECTS_URL = 'https://*.supabase.red'
+const SUPABASE_STAGING_PROJECTS_URL_WS = 'wss://*.supabase.red'
+const SUPABASE_COM_URL = 'https://supabase.com'
+const CLOUDFLARE_CDN_URL = 'https://cdnjs.cloudflare.com'
+const HCAPTCHA_SUBDOMAINS_URL = 'https://*.hcaptcha.com'
+const HCAPTCHA_ASSET_URL = 'https://newassets.hcaptcha.com'
+const HCAPTCHA_JS_URL = 'https://js.hcaptcha.com'
+const CONFIGCAT_URL = 'https://cdn-global.configcat.com'
+const CONFIGCAT_PROXY_URL = ['staging', 'local'].includes(process.env.NEXT_PUBLIC_ENVIRONMENT ?? '')
+  ? 'https://configcat.supabase.green'
+  : 'https://configcat.supabase.com'
+const STRIPE_SUBDOMAINS_URL = 'https://*.stripe.com'
+const STRIPE_JS_URL = 'https://js.stripe.com'
+const STRIPE_NETWORK_URL = 'https://*.stripe.network'
+const CLOUDFLARE_URL = 'https://www.cloudflare.com'
+const ONE_ONE_ONE_ONE_URL = 'https://one.one.one.one'
+const VERCEL_URL = 'https://vercel.com'
+const VERCEL_INSIGHTS_URL = 'https://*.vercel-insights.com'
+const GITHUB_API_URL = 'https://api.github.com'
+const GITHUB_USER_CONTENT_URL = 'https://raw.githubusercontent.com'
+const GITHUB_USER_AVATAR_URL = 'https://avatars.githubusercontent.com'
+const GOOGLE_USER_AVATAR_URL = 'https://lh3.googleusercontent.com'
+
+// This is a custom domain for Stape, which isused for GTM servers
+const STAPE_URL = 'https://ss.supabase.com'
+
+const VERCEL_LIVE_URL = 'https://vercel.live'
+const SENTRY_URL =
+  'https://*.ingest.sentry.io https://*.ingest.us.sentry.io https://*.ingest.de.sentry.io'
+const SUPABASE_ASSETS_URL =
+  process.env.NEXT_PUBLIC_ENVIRONMENT === 'staging'
+    ? 'https://frontend-assets.supabase.green'
+    : 'https://frontend-assets.supabase.com'
+
+const USERCENTRICS_URLS = 'https://*.usercentrics.eu'
+const USERCENTRICS_APP_URL = 'https://app.usercentrics.eu'
+
+// used by vercel live preview
+const PUSHER_URL = 'https://*.pusher.com'
+const PUSHER_URL_WS = 'wss://*.pusher.com'
+
+module.exports.getCSP = function getCSP() {
+  const DEFAULT_SRC_URLS = [
+    API_URL,
+    SUPABASE_URL,
+    GOTRUE_URL,
+    SUPABASE_LOCAL_PROJECTS_URL_WS,
+    SUPABASE_PROJECTS_URL,
+    SUPABASE_PROJECTS_URL_WS,
+    HCAPTCHA_SUBDOMAINS_URL,
+    CONFIGCAT_URL,
+    CONFIGCAT_PROXY_URL,
+    STRIPE_SUBDOMAINS_URL,
+    STRIPE_NETWORK_URL,
+    CLOUDFLARE_URL,
+    ONE_ONE_ONE_ONE_URL,
+    VERCEL_INSIGHTS_URL,
+    GITHUB_API_URL,
+    GITHUB_USER_CONTENT_URL,
+    SUPABASE_ASSETS_URL,
+    USERCENTRICS_URLS,
+    STAPE_URL,
+  ]
+  const SCRIPT_SRC_URLS = [
+    CLOUDFLARE_CDN_URL,
+    HCAPTCHA_JS_URL,
+    STRIPE_JS_URL,
+    SUPABASE_ASSETS_URL,
+    STAPE_URL,
+  ]
+  const FRAME_SRC_URLS = [HCAPTCHA_ASSET_URL, STRIPE_JS_URL, STAPE_URL]
+  const IMG_SRC_URLS = [
+    SUPABASE_URL,
+    SUPABASE_COM_URL,
+    SUPABASE_PROJECTS_URL,
+    GITHUB_USER_AVATAR_URL,
+    GOOGLE_USER_AVATAR_URL,
+    SUPABASE_ASSETS_URL,
+    USERCENTRICS_APP_URL,
+    STAPE_URL,
+  ]
+  const STYLE_SRC_URLS = [CLOUDFLARE_CDN_URL, SUPABASE_ASSETS_URL]
+  const FONT_SRC_URLS = [CLOUDFLARE_CDN_URL, SUPABASE_ASSETS_URL]
+
+  const isDevOrStaging =
+    process.env.NEXT_PUBLIC_VERCEL_ENV === 'preview' ||
+    process.env.NEXT_PUBLIC_ENVIRONMENT === 'local' ||
+    process.env.NEXT_PUBLIC_ENVIRONMENT === 'staging'
+
+  const defaultSrcDirective = [
+    `default-src 'self'`,
+    ...DEFAULT_SRC_URLS,
+    ...(isDevOrStaging
+      ? [
+          SUPABASE_STAGING_PROJECTS_URL,
+          SUPABASE_STAGING_PROJECTS_URL_WS,
+          VERCEL_LIVE_URL,
+          SUPABASE_DOCS_PROJECT_URL,
+          SUPABASE_CONTENT_API_URL,
+        ]
+      : []),
+    PUSHER_URL_WS,
+    SENTRY_URL,
+  ].join(' ')
+
+  const imgSrcDirective = [
+    `img-src 'self'`,
+    `blob:`,
+    `data:`,
+    ...IMG_SRC_URLS,
+    ...(isDevOrStaging ? [SUPABASE_STAGING_PROJECTS_URL, VERCEL_URL] : []),
+  ].join(' ')
+
+  const scriptSrcDirective = [
+    `script-src 'self'`,
+    `'unsafe-eval'`,
+    `'unsafe-inline'`,
+    ...SCRIPT_SRC_URLS,
+    VERCEL_LIVE_URL,
+    PUSHER_URL,
+  ].join(' ')
+
+  const frameSrcDirective = [`frame-src 'self'`, ...FRAME_SRC_URLS, VERCEL_LIVE_URL].join(' ')
+
+  const styleSrcDirective = [
+    `style-src 'self'`,
+    `'unsafe-inline'`,
+    ...STYLE_SRC_URLS,
+    VERCEL_LIVE_URL,
+  ].join(' ')
+
+  const fontSrcDirective = [`font-src 'self'`, ...FONT_SRC_URLS, VERCEL_LIVE_URL].join(' ')
+
+  const workerSrcDirective = [`worker-src 'self'`, `blob:`, `data:`].join(' ')
+
+  const cspDirectives = [
+    defaultSrcDirective,
+    imgSrcDirective,
+    scriptSrcDirective,
+    frameSrcDirective,
+    styleSrcDirective,
+    fontSrcDirective,
+    workerSrcDirective,
+    `object-src 'none'`,
+    `base-uri 'self'`,
+    `form-action 'self'`,
+    `frame-ancestors 'none'`,
+    `block-all-mixed-content`,
+    ...(process.env.NEXT_PUBLIC_IS_PLATFORM === 'true' &&
+    process.env.NEXT_PUBLIC_ENVIRONMENT === 'prod'
+      ? [`upgrade-insecure-requests`]
+      : []),
+  ]
+
+  const csp = cspDirectives.join('; ') + ';'
+
+  // Replace newline characters and spaces
+  return csp.replace(/\s{2,}/g, ' ').trim()
+}

apps/studio/lib/profile.tsx

@@ -1,5 +1,5 @@
 import * as Sentry from '@sentry/nextjs'
-import { useIsLoggedIn } from 'common'
+import { useIsLoggedIn, useUser } from 'common'
 import { useRouter } from 'next/router'
 import { PropsWithChildren, createContext, useContext, useMemo } from 'react'
 import { toast } from 'sonner'
@@ -30,6 +30,7 @@ export const ProfileContext = createContext<ProfileContextType>({
 })
 
 export const ProfileProvider = ({ children }: PropsWithChildren<{}>) => {
+  const user = useUser()
   const isLoggedIn = useIsLoggedIn()
   const router = useRouter()
   const signOut = useSignOut()
@@ -38,6 +39,16 @@ export const ProfileProvider = ({ children }: PropsWithChildren<{}>) => {
   const { mutate: createProfile, isLoading: isCreatingProfile } = useProfileCreateMutation({
     onSuccess: () => {
       sendEvent({ action: 'sign_up', properties: { category: 'conversion' } })
+
+      if (user) {
+        // Send an event to GTM, will do nothing if GTM is not enabled
+        const thisWindow = window as any
+        thisWindow.dataLayer = thisWindow.dataLayer || []
+        thisWindow.dataLayer.push({
+          event: 'sign_up',
+          email: user.email,
+        })
+      }
     },
     onError: (error) => {
       if (error.code === 409) {

apps/studio/next.config.js

@@ -2,115 +2,11 @@ const { withSentryConfig } = require('@sentry/nextjs')
 const withBundleAnalyzer = require('@next/bundle-analyzer')({
   enabled: process.env.ANALYZE === 'true',
 })
+const { getCSP } = require('./csp')
 
 // Required for nextjs standalone build
 const path = require('path')
 
-const API_URL = process.env.NEXT_PUBLIC_API_URL
-  ? new URL(process.env.NEXT_PUBLIC_API_URL).origin
-  : ''
-const SUPABASE_URL = process.env.SUPABASE_URL ? new URL(process.env.SUPABASE_URL).origin : ''
-const GOTRUE_URL = process.env.NEXT_PUBLIC_GOTRUE_URL
-  ? new URL(process.env.NEXT_PUBLIC_GOTRUE_URL).origin
-  : ''
-const SUPABASE_PROJECTS_URL = 'https://*.supabase.co'
-const SUPABASE_PROJECTS_URL_WS = 'wss://*.supabase.co'
-
-// construct the URL for the Websocket Local URLs
-let SUPABASE_LOCAL_PROJECTS_URL_WS = ''
-if (SUPABASE_URL) {
-  const url = new URL(SUPABASE_URL)
-  const wsUrl = `${url.hostname}:${url.port}`
-  SUPABASE_LOCAL_PROJECTS_URL_WS = `ws://${wsUrl} wss://${wsUrl}`
-}
-
-// Needed to test docs search in local dev
-const SUPABASE_DOCS_PROJECT_URL = process.env.NEXT_PUBLIC_SUPABASE_URL
-  ? new URL(process.env.NEXT_PUBLIC_SUPABASE_URL).origin
-  : ''
-
-// Needed to test docs content API in local dev
-const SUPABASE_CONTENT_API_URL = process.env.NEXT_PUBLIC_CONTENT_API_URL
-  ? new URL(process.env.NEXT_PUBLIC_CONTENT_API_URL).origin
-  : ''
-
-const SUPABASE_STAGING_PROJECTS_URL = 'https://*.supabase.red'
-const SUPABASE_STAGING_PROJECTS_URL_WS = 'wss://*.supabase.red'
-const SUPABASE_COM_URL = 'https://supabase.com'
-const CLOUDFLARE_CDN_URL = 'https://cdnjs.cloudflare.com'
-const HCAPTCHA_SUBDOMAINS_URL = 'https://*.hcaptcha.com'
-const HCAPTCHA_ASSET_URL = 'https://newassets.hcaptcha.com'
-const HCAPTCHA_JS_URL = 'https://js.hcaptcha.com'
-const CONFIGCAT_URL = 'https://cdn-global.configcat.com'
-const CONFIGCAT_PROXY_URL = ['staging', 'local'].includes(process.env.NEXT_PUBLIC_ENVIRONMENT)
-  ? 'https://configcat.supabase.green'
-  : 'https://configcat.supabase.com'
-const STRIPE_SUBDOMAINS_URL = 'https://*.stripe.com'
-const STRIPE_JS_URL = 'https://js.stripe.com'
-const STRIPE_NETWORK_URL = 'https://*.stripe.network'
-const CLOUDFLARE_URL = 'https://www.cloudflare.com'
-const ONE_ONE_ONE_ONE_URL = 'https://one.one.one.one'
-const VERCEL_URL = 'https://vercel.com'
-const VERCEL_INSIGHTS_URL = 'https://*.vercel-insights.com'
-const GITHUB_API_URL = 'https://api.github.com'
-const GITHUB_USER_CONTENT_URL = 'https://raw.githubusercontent.com'
-const GITHUB_USER_AVATAR_URL = 'https://avatars.githubusercontent.com'
-const GOOGLE_USER_AVATAR_URL = 'https://lh3.googleusercontent.com'
-const VERCEL_LIVE_URL = 'https://vercel.live'
-const SENTRY_URL =
-  'https://*.ingest.sentry.io https://*.ingest.us.sentry.io https://*.ingest.de.sentry.io'
-const SUPABASE_ASSETS_URL =
-  process.env.NEXT_PUBLIC_ENVIRONMENT === 'staging'
-    ? 'https://frontend-assets.supabase.green'
-    : 'https://frontend-assets.supabase.com'
-
-const USERCENTRICS_URLS = 'https://*.usercentrics.eu'
-const USERCENTRICS_APP_URL = 'https://app.usercentrics.eu'
-
-// used by vercel live preview
-const PUSHER_URL = 'https://*.pusher.com'
-const PUSHER_URL_WS = 'wss://*.pusher.com'
-
-const DEFAULT_SRC_URLS = `${API_URL} ${SUPABASE_URL} ${GOTRUE_URL} ${SUPABASE_LOCAL_PROJECTS_URL_WS} ${SUPABASE_PROJECTS_URL} ${SUPABASE_PROJECTS_URL_WS} ${HCAPTCHA_SUBDOMAINS_URL} ${CONFIGCAT_URL} ${CONFIGCAT_PROXY_URL} ${STRIPE_SUBDOMAINS_URL} ${STRIPE_NETWORK_URL} ${CLOUDFLARE_URL} ${ONE_ONE_ONE_ONE_URL} ${VERCEL_INSIGHTS_URL} ${GITHUB_API_URL} ${GITHUB_USER_CONTENT_URL} ${SUPABASE_ASSETS_URL} ${USERCENTRICS_URLS}`
-const SCRIPT_SRC_URLS = `${CLOUDFLARE_CDN_URL} ${HCAPTCHA_JS_URL} ${STRIPE_JS_URL} ${SUPABASE_ASSETS_URL}`
-const FRAME_SRC_URLS = `${HCAPTCHA_ASSET_URL} ${STRIPE_JS_URL}`
-const IMG_SRC_URLS = `${SUPABASE_URL} ${SUPABASE_COM_URL} ${SUPABASE_PROJECTS_URL} ${GITHUB_USER_AVATAR_URL} ${GOOGLE_USER_AVATAR_URL} ${SUPABASE_ASSETS_URL} ${USERCENTRICS_APP_URL}`
-const STYLE_SRC_URLS = `${CLOUDFLARE_CDN_URL} ${SUPABASE_ASSETS_URL}`
-const FONT_SRC_URLS = `${CLOUDFLARE_CDN_URL} ${SUPABASE_ASSETS_URL}`
-
-const csp = [
-  ...(process.env.NEXT_PUBLIC_VERCEL_ENV === 'preview' ||
-  process.env.NEXT_PUBLIC_ENVIRONMENT === 'local' ||
-  process.env.NEXT_PUBLIC_ENVIRONMENT === 'staging'
-    ? [
-        `default-src 'self' ${DEFAULT_SRC_URLS} ${SUPABASE_STAGING_PROJECTS_URL} ${SUPABASE_STAGING_PROJECTS_URL_WS} ${VERCEL_LIVE_URL} ${PUSHER_URL_WS} ${SUPABASE_DOCS_PROJECT_URL} ${SUPABASE_CONTENT_API_URL} ${SENTRY_URL};`,
-        `script-src 'self' 'unsafe-eval' 'unsafe-inline' ${SCRIPT_SRC_URLS} ${VERCEL_LIVE_URL} ${PUSHER_URL};`,
-        `frame-src 'self' ${FRAME_SRC_URLS} ${VERCEL_LIVE_URL};`,
-        `img-src 'self' blob: data: ${IMG_SRC_URLS} ${SUPABASE_STAGING_PROJECTS_URL} ${VERCEL_URL};`,
-        `style-src 'self' 'unsafe-inline' ${STYLE_SRC_URLS} ${VERCEL_LIVE_URL};`,
-        `font-src 'self' ${FONT_SRC_URLS} ${VERCEL_LIVE_URL};`,
-        `worker-src 'self' blob: data:;`,
-      ]
-    : [
-        `default-src 'self' ${DEFAULT_SRC_URLS} ${PUSHER_URL_WS} ${SENTRY_URL};`,
-        `script-src 'self' 'unsafe-eval' 'unsafe-inline' ${SCRIPT_SRC_URLS} ${VERCEL_LIVE_URL} ${PUSHER_URL};`,
-        `frame-src 'self' ${FRAME_SRC_URLS} ${VERCEL_LIVE_URL};`,
-        `img-src 'self' blob: data: ${IMG_SRC_URLS} ;`,
-        `style-src 'self' 'unsafe-inline' ${STYLE_SRC_URLS} ${VERCEL_LIVE_URL};`,
-        `font-src 'self' ${FONT_SRC_URLS} ${VERCEL_LIVE_URL};`,
-        `worker-src 'self' blob: data:;`,
-      ]),
-  `object-src 'none';`,
-  `base-uri 'self';`,
-  `form-action 'self';`,
-  `frame-ancestors 'none';`,
-  `block-all-mixed-content;`,
-  ...(process.env.NEXT_PUBLIC_IS_PLATFORM === 'true' &&
-  process.env.NEXT_PUBLIC_ENVIRONMENT === 'prod'
-    ? [`upgrade-insecure-requests;`]
-    : []),
-].join(' ')
-
 function getAssetPrefix() {
   // If not force enabled, but not production env, disable CDN
   if (process.env.FORCE_ASSET_CDN !== '1' && process.env.VERCEL_ENV !== 'production') {
@@ -511,7 +407,8 @@ const nextConfig = {
           },
           {
             key: 'Content-Security-Policy',
-            value: process.env.NEXT_PUBLIC_IS_PLATFORM === 'true' ? csp : "frame-ancestors 'none';",
+            value:
+              process.env.NEXT_PUBLIC_IS_PLATFORM === 'true' ? getCSP() : "frame-ancestors 'none';",
           },
           {
             key: 'Referrer-Policy',