Cookie consent

lib/AppInfo/Application.php

@@ -4,15 +4,14 @@
 
 namespace OCA\NCGoogleAnalytics\AppInfo;
 
-use OC\Security\CSP\ContentSecurityPolicyManager;
-use OC\Security\CSP\ContentSecurityPolicyNonceManager;
+use OCA\NCGoogleAnalytics\Listener\LoadScript;
+use OCA\NCGoogleAnalytics\Listener\AddCsp;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
 use OCP\AppFramework\Bootstrap\IBootstrap;
 use OCP\AppFramework\Bootstrap\IRegistrationContext;
-use OCP\AppFramework\Http\ContentSecurityPolicy;
-use OCP\IURLGenerator;
-use OCP\Util;
+use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent;
+use OCP\Security\CSP\AddContentSecurityPolicyEvent;
 
 class Application extends App implements IBootstrap
 {
@@ -23,60 +22,12 @@ public function __construct()
         parent::__construct(self::APP_ID);
     }
 
-    public function register(IRegistrationContext $context): void
-    {
+    public function register(IRegistrationContext $context): void {
+        $context->registerEventListener(BeforeTemplateRenderedEvent::class, LoadScript::class);
+        $context->registerEventListener(AddContentSecurityPolicyEvent::class, AddCsp::class);
     }
 
     public function boot(IBootContext $context): void
     {
-        $context->injectFn([$this, 'addTrackingScript']);
-        $context->injectFn([$this, 'addContentSecurityPolicy']);
-    }
-
-    public function addTrackingScript(IURLGenerator $urlGenerator, ContentSecurityPolicyNonceManager $nonceManager): void
-    {
-        Util::addHeader(
-            'script',
-            [
-                'src' => $urlGenerator->linkToRoute('googleanalytics.JavaScript.tracking'),
-                'nonce' => $nonceManager->getNonce(),
-            ],
-            ''
-        );
-    }
-
-    /**
-     * Add the Content Security Policy for the Google Analytics tracking according
-     * to https://developers.google.com/tag-platform/security/guides/csp
-     *
-     * @param ContentSecurityPolicyManager $policyManager
-     * @return void
-     */
-    public function addContentSecurityPolicy(ContentSecurityPolicyManager $policyManager): void
-    {
-        $policy = new ContentSecurityPolicy();
-
-        $policy->addAllowedScriptDomain("*.googletagmanager.com");
-        $policy->addAllowedImageDomain("*.googletagmanager.com");
-        $policy->addAllowedConnectDomain("*.googletagmanager.com");
-
-        $policy->addAllowedScriptDomain("tagmanager.google.com");
-        $policy->addAllowedImageDomain("tagmanager.google.com");
-        $policy->addAllowedConnectDomain("tagmanager.google.com");
-
-        $policy->addAllowedScriptDomain("*.google-analytics.com");
-        $policy->addAllowedImageDomain("*.google-analytics.com");
-        $policy->addAllowedConnectDomain("*.google-analytics.com");
-
-        // additional SCP for GTM preview mode
-        $policy->addAllowedStyleDomain("https://www.googletagmanager.com");
-        $policy->addAllowedStyleDomain("https://fonts.googleapis.com");
-
-        $policy->addAllowedFontDomain("https://fonts.gstatic.com");
-
-        $policy->addAllowedImageDomain("https://fonts.gstatic.com");
-        $policy->addAllowedImageDomain("https://fonts.googleapis.com");
-
-        $policyManager->addDefaultPolicy($policy);
     }
 }

lib/Listener/AddCsp.php

@@ -0,0 +1,58 @@
+<?php
+/**
+ * SPDX-FileLicenseText: 2024 STRATO AG
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\NCGoogleAnalytics\Listener;
+
+use OCA\NCGoogleAnalytics\Service\ConsentDetection;
+use OCP\AppFramework\Http\ContentSecurityPolicy;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\Security\CSP\AddContentSecurityPolicyEvent;
+
+/**
+ * Configure Google sites for content security policy (CSP).
+ */
+class AddCsp implements IEventListener {
+	public function __construct(
+		private ConsentDetection $consentDetection
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if (!($event instanceof AddContentSecurityPolicyEvent)) {
+			return;
+		}
+
+		if (!$this->consentDetection->isConsentGiven()) {
+			return;
+		}
+
+		$policy = new ContentSecurityPolicy();
+
+		$policy->addAllowedScriptDomain("*.googletagmanager.com");
+		$policy->addAllowedImageDomain("*.googletagmanager.com");
+		$policy->addAllowedConnectDomain("*.googletagmanager.com");
+
+		$policy->addAllowedScriptDomain("tagmanager.google.com");
+		$policy->addAllowedImageDomain("tagmanager.google.com");
+		$policy->addAllowedConnectDomain("tagmanager.google.com");
+
+		$policy->addAllowedScriptDomain("*.google-analytics.com");
+		$policy->addAllowedImageDomain("*.google-analytics.com");
+		$policy->addAllowedConnectDomain("*.google-analytics.com");
+
+		// additional SCP for GTM preview mode
+		$policy->addAllowedStyleDomain("https://www.googletagmanager.com");
+		$policy->addAllowedStyleDomain("https://fonts.googleapis.com");
+
+		$policy->addAllowedFontDomain("https://fonts.gstatic.com");
+
+		$policy->addAllowedImageDomain("https://fonts.gstatic.com");
+		$policy->addAllowedImageDomain("https://fonts.googleapis.com");
+
+		$event->addPolicy($policy);
+	}
+}

lib/Listener/LoadScript.php

@@ -0,0 +1,47 @@
+<?php
+
+/**
+ * SPDX-FileLicenseText: 2024 STRATO AG
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\NCGoogleAnalytics\Listener;
+
+use OC\Security\CSP\ContentSecurityPolicyNonceManager;
+use OCA\NCGoogleAnalytics\Service\ConsentDetection;
+use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\IURLGenerator;
+use OCP\Util;
+
+/**
+ * Inject tracking script
+ */
+class LoadScript implements IEventListener {
+	public function __construct(
+		private IURLGenerator $urlGenerator,
+		private ContentSecurityPolicyNonceManager $nonceManager,
+		private ConsentDetection $consentDetection,
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if (!($event instanceof BeforeTemplateRenderedEvent)) {
+			return;
+		}
+
+		if (!$this->consentDetection->isConsentGiven()) {
+			return;
+		}
+
+		Util::addHeader(
+			'script',
+			[
+				'src' => $this->urlGenerator->linkToRoute('googleanalytics.JavaScript.tracking'),
+				'nonce' => $this->nonceManager->getNonce(),
+			],
+			''
+		);
+	}
+}

lib/Service/ConsentDetection.php

@@ -0,0 +1,31 @@
+<?php
+
+/**
+ * SPDX-FileLicenseText: 2024 STRATO AG
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\NCGoogleAnalytics\Service;
+
+use OCP\IRequest;
+
+/**
+ * Detector to test whether tracking consent was given.
+ * A cookie value is inspected.
+ * The implementation is IONOS specific.
+ */
+class ConsentDetection {
+    const CONSENT_COOKIE_NAME = "PRIVACY_CONSENT";
+
+    public function __construct(
+        private IRequest $request,
+    ) {
+    }
+
+    public function isConsentGiven(): bool {
+        $codedJsonStr = $this->request->getCookie(self::CONSENT_COOKIE_NAME);
+        $jsonStr = base64_decode($codedJsonStr);
+        $settings = json_decode($jsonStr);
+        return $settings->statistics ?? false;
+    }
+}