Merge branch 'master' into niall/update_idfa_react

Author: sanscontext

src/_data/sidenav/main.yml

@@ -35,8 +35,6 @@ sections:
     title: How does Segment handle duplicate data?
   - path: /guides/ignore-bots
     title: How can I ignore internet bots?
-  - path: /guides/intelligent-tracking-prevention
-    title: Is Segment impacted by Intelligent Tracking Prevention?
   - path: /guides/segment-vs-tag-managers
     title: What is the difference between Segment and tag managers?
   - path: /guides/what-is-replay

src/_data/sidenav/strat.yml

@@ -62,6 +62,8 @@ sections:
   section:
   - path: /connections/sources/catalog/libraries/website/javascript
     title: Analytics.js (Javascript) Source
+  - path: /connections/sources/catalog/libraries/website/javascript/supported-browsers
+    title: Analytics.js Supported Browsers
   - path: /connections/sources/catalog/libraries/website/javascript/quickstart
     title: Quickstart Tutorial
   - path: /connections/sources/catalog/libraries/website/javascript/identity

src/connections/sources/catalog/libraries/website/javascript/index.md

@@ -621,11 +621,6 @@ When enabled, Analytics.js automatically retries network and server errors. With
 
 Analytics.js stores events in `localStorage` and falls back to in-memory storage when `localStorage` is unavailable. It retries up to 10 times with an incrementally increasing backoff between each retry. Analytics.js queues up to 100 events at a time to avoid using too much of the device's local storage. See the [destination Retries documentation](/docs/connections/destinations/#retries) to learn more.
 
-
-## Proxying Analytics.js
-
-To use a proxy server with Analytics.js, first change the `cdn.segment.com` address in the snippet to use your own host. Next, [contact Segment Product Support](https://segment.com/help/contact/) and request to change the endpoint Segment sends your events to so that is uses your proxy instead. Make sure that your proxy behaves exactly like the Segment APIs. You can use [the Segment proxy server](https://github.com/segmentio/segment-proxy) as an example of a correctly-working proxy.
-
 ## Plugins
 
 Segment offers video player 'plugins' so you can quickly collect video events using Analytics.js. See the specific documentation below to learn more:
@@ -657,3 +652,14 @@ Segment's Analytics.js javascript snippet only increases the page size by about
 However, the snippet asynchronously requests and loads a customized javascript bundle (`analytics.min.js`), which contains the code and settings needed to load your [device-mode destinations](/docs/connections/destinations/#connection-modes). The size of this file changes depending on how many and which destinations you enable.
 
 Without any destinations enabled, the `analytics.min.js` file is about 62KB. Each time you enable a destination, the file's size may increase slightly.
+
+### Localstorage cookies used by Analytics.js
+
+Analytics.js uses a few `localstorage` cookies if you have retries enabled, to keep track of retry timing.
+- The `ack` cookie is a timer used to see if another tab should claim the retry queue.
+- The `reclaimStart` and `reclaimEnd` cookies determine if a tab takes over the queue from another tab.
+- The `inProgress` and `queue` cookies track events in progress, and events that are queued to be retried.
+
+For more information, visit the [Segment localstorage-retry library](https://github.com/segmentio/localstorage-retry).
+
+You can set the `debug` cookie to `analytics.js` to log debug messages from Analytics.js to the console.

src/connections/sources/catalog/libraries/website/javascript/supported-browsers.md

@@ -0,0 +1,39 @@
+---
+title: Analytics.js Browser Support
+redirect_from: '/guides/intelligent-tracking-prevention'
+strat: ajs
+---
+
+[The Segment JavaScript library, Analytics.js](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/), loads a snippet on your webpage that supports existing user consent APIs and native browser controls. Segment regularly tests Analytics.js against the following browsers on all major platforms, and updates the library accordingly.
+
+The library is regularly tested and is functional with the following browsers:
+
+- Internet Explorer
+- Apple Safari
+- Google Chrome
+- Mozilla Firefox
+- Microsoft Edge
+- Brave
+
+### Internet Explorer Support
+
+Segment guarantees support for Internet Explorer 11 and later for Analytics.js. Remember that different bundled (device-mode) destinations might have different compatibility guarantees for their own products. Refer to the vendor’s documentation to confirm browser compatibility.
+
+
+## Tracking Protection (ITP, ETP)
+
+Segment is a customer data platform (CDP) that helps companies harness first-party customer data. The recent browser changes fully align with Segment’s privacy stance.
+
+Browser manufacturers have enhanced their privacy features by adding third-party tracking protection mechanisms for end-users. These browser changes target third-party trackers and their cookies, and each platform takes a different approach.
+
+For example, [Firefox Enhanced Tracking Protection (ETP)](https://blog.mozilla.org/blog/2020/08/04/latest-firefox-rolls-out-enhanced-tracking-protection-2-0-blocking-redirect-trackers-by-default/) relies on a dynamic list of known trackers to decide what to block. Browsers that use [Apple’s Webkit engine](https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/), like Safari and Chrome for iOS, use Intelligent Tracking Protection (ITP) which actively prevents the browser from loading cookies from a third-party domain.
+
+> info ""
+> **Note:** Segment cookies expire after seven days of user inactivity, like all other application cookies under the Webkit engine ITP policy.
+
+## Proxying Analytics.js
+
+Because of regulatory, environmental, or security concerns, some customers prefer to set up proxy infrastructure for Analytics.js. You can use the `apihost` configuration option in the Analytics object to route traffic to different API endpoints. Business Tier customers can use Segment’s fully-managed proxy service: In-domain Instrumentation, which provides a similar function without the additional maintenance burden and cost of running your own proxy infrastructure.
+
+> info ""
+> Business Tier customers who want to use a fully-managed proxy service can contact their account teams for full details.

src/connections/sources/catalog/libraries/website/javascript/troubleshooting.md

@@ -51,15 +51,6 @@ In the below image, we use Google Analytics as an example. Our `page` call forms
 
 If this outbound request is not showing up in the network when you fire an `identify` call, then check the following:
 
-## Do you have any ad blockers enabled in your browser?
-
-Segment and many destination partners use cookies/local storage to store information about users in the browser. Ad blockers prevent cookies and other data these tools rely on to make valid analytics requests. Some portion of your users are probably using ad blockers, which prevent the Segment script from fully executing. Both desktop and mobile browsers are impacted.
-
-One particular issue is Safari private browsing mode which allows Analytics.js Identify calls to be made, but the traits object is stripped from the call. This results in identify calls missing email address and other traits.
-
-## Internet Explorer Support
-
-We guarantee support for Internet Explorer 9 and higher for Analytics.js. Keep in mind that different tools may have different compatibility guarantees for their own products. Refer to the vendor's documents to see what their browser compatibility looks like.
 
 ## Is your web site deployed under a domain on the Public Suffix List?
 
@@ -112,10 +103,19 @@ console.log(JSON.stringify({ x: undefined, y: 6 }));
 // expected output: "{"y":6}"
 ```
 
+## Why am I seeing a "SameSite" warning? 
+
+If you see a warning like the following, it could have one of several causes:
+"A cookie associated with a cross-site resource at http://segment.com/ was set without the `SameSite` attribute [...]"
+
+Segment correctly sets cookies with the 'SameSite' attribute with Analytics.js. 
+
+If you see this warning, it is because you previously visited http://segment.com, and are getting the warning due to unrelated cookies. To verify that this is the issue, visit your page in Incognito Mode and confirm that the warning no longer occurs. Your users won't see this warning unless they _also_  visited http://segment.com.
+
 
 ### Can I overwrite the context fields?
 
-Yes.  This can be useful if some of these fields contain information you don't want to collect.  
+Yes.  This can be useful if some of these fields contain information you don't want to collect.
 
 For example, imagine that your website allows users to view a receipt for purchases at the URL `https://mywebsite.com/store/purchases`.  Your users click a link that redirects to that specific URL, your app sets a `receiptId` in the query string, and returns the appropriate receipt.  You also send a Track call to Segment from this page.
 
@@ -125,7 +125,7 @@ Since this `receiptId` might contain sensitive information, you can prevent the
 analytics.track("Receipt Viewed", {}, {
     page: {
         url: null
-    }   
+    }
 })
 ```
 

src/connections/storage/catalog/data-lakes/index.md

@@ -20,7 +20,7 @@ Before you set up Segment Data Lakes, you need the following resources:
 
 You can use the [open source Terraform module](https://github.com/segmentio/terraform-aws-data-lake) to automate much of the set up work to get Data Lakes up and running. If you’re familiar with Terraform, you can modify the module to meet your organization’s needs, however Segment guarantees support only for the template as provided. The Data Lakes set up uses Terraform v0.11+. To support more versions of Terraform, the aws provider must use v2, which is included in our example main.tf.
 
-You can also use our [manual set up instructions](https://docs.google.com/document/d/1GlWzS5KO4QaiVZx9pwfpgF-N-Xy2e_QQcdYSX-nLMDU/view) to configure these AWS resources if you prefer.
+You can also use our [manual set up instructions](/docs/connections/storage/data-lakes/data-lakes-manual-setup) to configure these AWS resources if you prefer.
 
 The Terraform module and manual set up instructions both provide a base level of permissions to Segment (for example, the correct IAM role to allow Segment to create Glue databases on your behalf). If you want stricter permissions, or other custom configurations, you can customize these manually.
 
@@ -57,12 +57,12 @@ Once the Data Lakes destination is enabled, the first sync will begin approximat
 
 ## Step 3 - Verify Data is Synced to S3 and Glue
 
-You will see event data and [sync reports](https://segment.com/docs/connections/storage/data-lakes/sync-reports) populated in S3 and Glue after the first sync successfully completes. However if an [insufficient permission](https://segment.com/docs/connections/storage/data-lakes/sync-reports/#insufficient-permissions) or [invalid setting](https://segment.com/docs/connections/storage/data-lakes/sync-reports/#invalid-settings) is provided during set up, the first data lake sync will fail.
+You will see event data and [sync reports](/docs/connections/storage/data-lakes/sync-reports) populated in S3 and Glue after the first sync successfully completes. However if an [insufficient permission](/docs/connections/storage/data-lakes/sync-reports/#insufficient-permissions) or [invalid setting](/docs/connections/storage/data-lakes/sync-reports/#invalid-settings) is provided during set up, the first data lake sync will fail.
 
 To be alerted of sync failures via email, subscribe to the `Storage Destination Sync Failed` activity email notification within the App Settings > User Preferences > [Notification Settings](https://app.segment.com/goto-my-workspace/settings/notifications).
 ![](images/dl_activity_notifications2.png)
 
-`Sync Failed` emails are sent on the 1st, 5th and 20th sync failure. Learn more about the types of errors which can cause sync failures [here](https://segment.com/docs/connections/storage/data-lakes/sync-reports/#sync-errors).
+`Sync Failed` emails are sent on the 1st, 5th and 20th sync failure. Learn more about the types of errors which can cause sync failures [here](/docs/connections/storage/data-lakes/sync-reports/#sync-errors).
 
 
 ## (Optional) Step 4 - Replay Historical Data

src/connections/storage/data-lakes/data-lakes-manual-setup.md

@@ -0,0 +1,192 @@
+---
+hidden: true
+title: Configure the Data Lakes AWS Environment
+---
+
+The instructions below will guide you through the process required to configure the environment required to begin loading data into your Segment Data Lake. For a more automated process, see [Step 1 - Configure AWS Resources](#step-1---configure-aws-resources) above.
+
+
+## Step 1 - Create an S3 Bucket
+
+In this step, you'll create the S3 bucket that will store both the intermediate and final data.
+
+> info ""
+> Take note of the S3 bucket name you set in this step, as the rest of the set up flow requires it. In these instructions, `segment-data-lake` is used.
+
+During the set up process, create a Lifecycle rule and set it to expire staging data after **14 days**. For more information, see Amazon's documentation, [How do I create a lifecycle?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.html).
+
+![Create a Lifecycle rule to expire staging data after 14 days](images/01_14-day-lifecycle.png)
+
+## Step 2 - Configure an EMR cluster
+
+Segment requires access to an EMR cluster to perform necessary data processing. We recommend starting with a small cluster, with the option to add more compute as required.
+
+### Configure the hardware and networking configuration
+
+1. Locate and select EMR from the AWS console.
+2. Click **Create Cluster**, and open the **Advanced Options**.
+3. In the Advanced Options, on Step 1: Software and Steps, ensure the following options are selected, along with the defaults:
+   - `Use for Hive table metadata`
+   - `Use for Spark table metadata` ![Select to use for both Have and Spark table metadata](images/02_hive-spark-table.png)
+4. In the Networking setup section, select to create the cluster in either a public or private subnet. Creating the cluster in a private subnet is more secure, but requires some additional configuration. Creating a cluster in a public subnet is accessible from the internet. However, you can configure strict security groups to prevent inbound access to the cluster. See Amazon's document, [Amazon VPC Options - Amazon EMR](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-clusters-in-a-vpc.html) for more information. As a best practice, Segment recommends that you consult with your network and security before you configure your EMR cluster.
+5. In the Hardware Configuration section, create a cluster with the nodes listed below. This configuration uses the default **On demand** purchasing option for the instances.
+   - **1** master node
+   - **2** core nodes
+   - **2** task nodes ![Configure the number of nodes](images/03_hardware-node-instances.png)
+ 
+For more information about configuring the cluster hardware and networking, see Amazon's document, [Configure Cluster Hardware and Networking](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-instances.html).
+
+### Enable EMR managed scaling for the Core and Task nodes
+
+On the **Cluster Scaling** settings, select **Use EMR-managed scaling**, and select the following number of task units:
+- Minimum: **2**
+- Maximum: **8**
+- On-demand limit: **8**
+- Maximum Core Node: **2**
+
+![Configure the Cluster scaling options](images/04_cluster-scaling.png)
+
+### Configure logging
+
+On the General Options step, configure logging to use the same S3 bucket you configured as the destination for the final data (`segment-data-lakes` in this case). Once configured, logs will be written to a new prefix, and separated from the final processed data.
+
+Set value of the **vendor** tag to `segment`.
+
+![Configure logging](images/05_logging.png)
+
+### Secure the cluster
+
+On the Security step, ensure that the following steps have been completed:
+1. Create or select an **EC2 key pair**.
+2. Choose the appropriate roles in the **EC2 instance profile**.
+3. Select the appropriate security groups for the Master and Core & Task types.
+
+![Secure the cluster](images/06_secure-cluster.png)
+
+## Step 3 - Create an Access Management role and policy
+
+The following steps provide examples of the IAM Role and IAM Policy.
+
+### IAM Role
+
+Create a `segment-data-lake-role` role for Segment to assume. Attach the following trust relationship document to the role:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::294048959147:role/customer-datalakes-prod-admin",
+          "arn:aws:iam::294048959147:role/datalakes-aws-worker",
+          "arn:aws:iam::294048959147:role/datalakes-customer-service"
+        ]
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": [
+            "SOURCE_1",
+            "SOURCE_N"
+          ]
+        }
+      }
+    }
+  ]
+}
+```
+
+> note ""
+> **NOTE:** Replace the `ExternalID` list with the Segment `SourceId` values that are synced to the Data Lake.
+
+### IAM Policy
+
+Add a policy to the role created above to give Segment access to the relevant Glue databases and tables, EMR cluster, and S3
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "elasticmapreduce:TerminateJobFlows",
+                "elasticmapreduce:RunJobFlow",
+                "elasticmapreduce:DescribeStep",
+                "elasticmapreduce:DescribeCluster",
+                "elasticmapreduce:CancelSteps",
+                "elasticmapreduce:AddJobFlowSteps"
+            ],
+            "Effect": "Allow",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "elasticmapreduce:ResourceTag/vendor": "segment"
+                }
+            }
+        },
+                {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "glue:UpdateTable",
+                "glue:UpdatePartition",
+                "glue:GetTables",
+                "glue:GetTableVersions",
+                "glue:GetTableVersion",
+                "glue:GetTable",
+                "glue:GetPartitions",
+                "glue:GetPartition",
+                "glue:DeleteTableVersion",
+                "glue:DeleteTable",
+                "glue:DeletePartition",
+                "glue:CreateTable",
+                "glue:CreatePartition",
+                "glue:CreateDatabase",
+                "glue:BatchGetPartition",
+                "glue:BatchDeleteTableVersion",
+                "glue:BatchDeleteTable",
+                "glue:BatchDeletePartition",
+                "glue:BatchCreatePartition"
+            ],
+            "Resource": [
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:table/*",
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:database/default",
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:database/*",
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:catalog"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": "*",
+            "Resource": [
+                "arn:aws:s3:::$BUCKET_NAME/*", 
+                "arn:aws:s3:::$BUCKET_NAME"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "athena:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
+> note ""
+> **NOTE:** The policy above grants full access to Athena, but the individual Glue and S3 policies decide which table can be queried. Segment queries only for debugging purposes, and will notify you be for running any queries.
+
+## Debugging
+
+Segment requires access to the data and schema for debugging data quality issues. The modes available for debugging are:
+- Access the individual objects stored in S3 and the associated schema in order to understand data discrepancies
+- Run an Athena query on the underlying data stored in S3
+  - Ensure Athena uses Glue as the data catalog. Older accounts may not have this configuration, and may require some additional steps to complete the upgrade. The Glue console typically displays a warning and provides a link to instructions on how to complete the upgrade.
+  - An easier alternative is to create a new account that has Athena backed by Glue as the default. 
+