Remove the overly permissive *.posthog.com wildcard from CSP configuration.
The PostHog reverse proxy at ph.supabase.com/ph.supabase.green handles all
necessary PostHog endpoints including /flags for feature flags.
This improves security by only allowing our controlled reverse proxy domains
rather than the entire PostHog infrastructure.
PostHog feature flags and other advanced features (toolbar, session replay)
require direct connections to *.posthog.com endpoints, even when using our
proxy server for main event ingestion. This adds the necessary CSP rules.
Adds client-side PostHog tracking to run in parallel with server-side telemetry across studio, docs, and www. This enables session replays and resolves a race condition where page views arrive before group assignments resulting in attribution errors.
Changes:
- Created PostHog client wrapper with consent-aware initialization in common package
- Integrated PostHog client calls into existing telemetry functions to send events to both PostHog (client) and backend (server)
- Updated CSP to allow connections to PostHog endpoints
- Added environment variable support for all apps
- PostHog client accepts consent as a parameter and respects user preferences
- Events can be distinguished in PostHog by $lib property (posthog-js vs posthog-node)
- PostHog URL configured based on environment (staging/local uses ph.supabase.green)
- Maintains full backward compatibility with existing telemetry system
Resolves GROWTH-438
Resolves GROWTH-271
- Mandatory address input when adding a new payment method
- Removed the global HCaptcha store that wasn't used consistently and would sometimes block payment method changes
- Remove the custom billing address data & tax id form on org creation and plan upgrades in favour of Stripe's `AddressElement`
- Unify usage of the Stripe payment elements into a single component
- Customers can mark "Purchasing as a business" and will then be able to put down a tax id
- Adjusted billing address form to have better labels + tax id is filtered down to selected country
- Adjusted Stripe Elements styling to use floating labels (otherwise very hard to use with address element) + additional styling changes
- New flag to filter out payment methods that do not have an address for org upgrades and credit top ups, this will be enforced a few days after rolling this out
- Added Google Maps Places API integration for address auto-completion via Stripe AddressElement
- Upgraded Stripe dependencies
- Slight adjustments to styling of plan upgrade modal
* Add third-parties dependency for GTM. Reexport the GTM from the common package.
* Add the TelemetryTagManager to four of the production apps.
* Add the GOOGLE_TAG_MANAGER_ID env var as a turbo dependency to the 4 apps.
* Skip rendering the tag manager if the env var is not set or not running on the platform.
* Fix the prop type to be extracted from the component.
* Add default values for consent to GTM.
* Another try to mimic gtag function.
* Fix a link in www.
* Try another approach.
* try.
* Remove the data-redaction flag.
* Remove extra code.
* Send a sign-up event if GTM is enabled.
* Send only the email to GTM.
* Minor fixes.
* Remove third-parties from pnpm lockfile.
* Lets try to make studio work again.
* Add CSP rules for img loading for GTM.
* Add event for testing.
* Add www.googletagmanager.com to the CSP rules.
* Add Stape to CSP rules.
* Fix stape CSP.
* Clean up the code.
* Remove extra console.log.
* Fix the stape urls for CORS.
* Fix the wrong category for Stape URL.
* Add google ads urls.
* Bump the timeout.
* Add google.com to the img-src for google ads.
* update csp
* remove comment
* update to use google analytics without signals
* add stape to default-src in csp
* move csp to middleware
* add google ads support and fix middleware base path
* remove google tag manager / google ads references from csp. load via stape proxy instead
* add double click url to image src
* add Google Tag Manager URL to CSP configuration
* add ga4 urls to csp
* remove google urls from CSP
---------
Co-authored-by: Alaister Young <[email protected]>
