c15t 0.0.1-rc.3

package/src/libs/consent-utils.ts

@@ -0,0 +1,70 @@
+import type { AllConsentNames, ConsentState } from '../types';
+
+/**
+ * Determines the effective consents based on the user's Do Not Track setting.
+ *
+ * @param consents - The current state of user consents.
+ * @param honorDoNotTrack - Whether to respect the user's Do Not Track setting.
+ * @returns The effective consents after considering Do Not Track.
+ */
+export function getEffectiveConsents(
+	consents: ConsentState,
+	honorDoNotTrack: boolean
+): ConsentState {
+	if (
+		honorDoNotTrack &&
+		typeof window !== 'undefined' &&
+		window.navigator.doNotTrack === '1'
+	) {
+		return Object.keys(consents).reduce((acc, key) => {
+			if (key in consents) {
+				acc[key as AllConsentNames] = key === 'necessary';
+			}
+			return acc;
+		}, {} as ConsentState);
+	}
+	return consents;
+}
+
+/**
+ * Checks if the user has given consent for a specific type.
+ *
+ * @param consentType - The type of consent to check.
+ * @param consents - The current state of user consents.
+ * @param honorDoNotTrack - Whether to respect the user's Do Not Track setting.
+ * @returns True if consent is given, false otherwise.
+ */
+export function hasConsentFor(
+	consentType: AllConsentNames,
+	consents: ConsentState,
+	honorDoNotTrack: boolean
+): boolean {
+	const effectiveConsents = getEffectiveConsents(consents, honorDoNotTrack);
+	return effectiveConsents[consentType] || false;
+}
+
+/**
+ * Determines if the user has consented based on consent information.
+ *
+ * @param consentInfo - The consent information.
+ * @returns True if the user has consented, false otherwise.
+ */
+export function hasConsented(
+	consentInfo: { time: number; type: 'all' | 'custom' | 'necessary' } | null
+): boolean {
+	return consentInfo !== null;
+}
+
+/**
+ * Checks if a specific consent type is enabled.
+ *
+ * @param consentType - The type of consent to check.
+ * @param consents - The current state of user consents.
+ * @returns True if the consent type is enabled, false otherwise.
+ */
+export function isConsentEnabled(
+	consentType: AllConsentNames,
+	consents: ConsentState
+): boolean {
+	return consents[consentType] || false;
+}

package/src/libs/tracking-blocker.ts

@@ -0,0 +1,202 @@
+/**
+ * @packageDocumentation
+ * Implements automatic blocking of tracking scripts and network requests until user consent is granted.
+ *
+ * IMPORTANT: This module overrides global `fetch` and `XMLHttpRequest` APIs to enforce consent requirements.
+ * While this approach is necessary for proper consent management, it may conflict with other libraries that
+ * also modify these APIs. This implementation takes precedence to ensure compliance.
+ */
+
+import type { AllConsentNames, ConsentState } from '../types';
+import DEFAULT_DOMAIN_CONSENT_MAP from './tracking-domains';
+
+/**
+ * Configuration options for the tracking blocker
+ */
+export interface TrackingBlockerConfig {
+	/** Whether to disable automatic blocking (defaults to false) */
+	disableAutomaticBlocking?: boolean;
+
+	/** Override the default domain consent map */
+	overrideDomainConsentMap?: boolean;
+
+	/** Map of domains to their required consent types */
+	domainConsentMap?: Record<string, AllConsentNames>;
+}
+
+/**
+ * Create default consent state with all consents set to their default values
+ */
+function createDefaultConsentState(): ConsentState {
+	return {
+		experience: false,
+		functionality: false,
+		marketing: false,
+		measurement: false,
+		necessary: true,
+	};
+}
+
+interface TrackingBlocker {
+	updateConsents: (newConsents: ConsentState) => void;
+	destroy: () => void;
+}
+
+/**
+ * Creates a tracking blocker instance that handles blocking of tracking scripts and network requests
+ */
+export function createTrackingBlocker(
+	config: TrackingBlockerConfig = {},
+	initialConsents?: ConsentState
+): TrackingBlocker {
+	const blockerConfig = {
+		disableAutomaticBlocking: false,
+		...config,
+		domainConsentMap: config.overrideDomainConsentMap
+			? config.domainConsentMap
+			: { ...DEFAULT_DOMAIN_CONSENT_MAP, ...config.domainConsentMap },
+	};
+
+	let consents = initialConsents || createDefaultConsentState();
+	const originalFetch = window.fetch;
+	const originalXHR = window.XMLHttpRequest;
+
+	/**
+	 * Normalize a domain by removing 'www.' prefix and ensuring consistent format
+	 */
+	function normalizeDomain(domain: string): string {
+		return domain
+			.toLowerCase()
+			.replace(/^www\./, '')
+			.replace(/:\d+$/, '') // Remove port numbers
+			.trim();
+	}
+
+	/**
+	 * Check if a domain matches any entry in the domain map, including subdomains
+	 */
+	function findMatchingDomain(
+		domain: string,
+		domainMap: Record<string, AllConsentNames>
+	): AllConsentNames | undefined {
+		const normalizedDomain = normalizeDomain(domain);
+
+		// First try exact match
+		const directMatch = domainMap[normalizedDomain];
+		if (directMatch) {
+			return directMatch;
+		}
+
+		// Then try matching as a subdomain
+		for (const [mapDomain, consent] of Object.entries(domainMap)) {
+			const normalizedMapDomain = normalizeDomain(mapDomain);
+			if (
+				normalizedDomain.endsWith(`.${normalizedMapDomain}`) ||
+				normalizedDomain === normalizedMapDomain
+			) {
+				return consent;
+			}
+		}
+
+		return undefined;
+	}
+
+	/**
+	 * Check if a URL requires consent and if that consent has been granted
+	 */
+	function isRequestAllowed(url: string): boolean {
+		try {
+			const domain = new URL(url).hostname;
+			const requiredConsent = findMatchingDomain(
+				domain,
+				blockerConfig.domainConsentMap || {}
+			);
+
+			if (!requiredConsent) {
+				return true;
+			}
+
+			const isAllowed = consents[requiredConsent] === true;
+			return isAllowed;
+		} catch (error) {
+			return true;
+		}
+	}
+
+	/**
+	 * Dispatch an event when a request is blocked due to missing consent
+	 */
+	function dispatchConsentBlockedEvent(url: string): void {
+		document.dispatchEvent(
+			new CustomEvent('ConsentBlockedRequest', { detail: { url } })
+		);
+	}
+
+	/**
+	 * Intercept and potentially block network requests
+	 */
+	function interceptNetworkRequests(): void {
+		// Override fetch only if it hasn't been modified by another script
+		if (window.fetch === originalFetch) {
+			window.fetch = async (input: RequestInfo | URL, init?: RequestInit) => {
+				const url = input instanceof Request ? input.url : input.toString();
+				if (!isRequestAllowed(url)) {
+					dispatchConsentBlockedEvent(url);
+					return Promise.reject(
+						new Error(`Request to ${url} blocked due to missing consent`)
+					);
+				}
+
+				return await originalFetch.call(window, input, init);
+			};
+		}
+
+		// Override XMLHttpRequest only if it hasn't been modified
+		if (window.XMLHttpRequest === originalXHR) {
+			window.XMLHttpRequest = class extends originalXHR {
+				override open(
+					method: string,
+					url: string | URL,
+					async = true,
+					username?: string,
+					password?: string
+				) {
+					if (!isRequestAllowed(url.toString())) {
+						dispatchConsentBlockedEvent(url.toString());
+						throw new Error(`Request to ${url} blocked due to missing consent`);
+					}
+
+					super.open(method, url, async, username, password);
+				}
+			};
+		}
+	}
+
+	/**
+	 * Safe restoration of fetch and XHR
+	 */
+	function restoreOriginalRequests(): void {
+		// Restore fetch if it has been overridden
+		if (window.fetch !== originalFetch) {
+			window.fetch = originalFetch;
+		}
+
+		if (window.XMLHttpRequest !== originalXHR) {
+			window.XMLHttpRequest = originalXHR;
+		}
+	}
+
+	// Initialize if automatic blocking is enabled
+	if (!blockerConfig.disableAutomaticBlocking) {
+		interceptNetworkRequests();
+	}
+
+	return {
+		updateConsents: (newConsents: ConsentState) => {
+			consents = newConsents;
+		},
+		destroy: () => {
+			restoreOriginalRequests();
+		},
+	};
+}

package/src/libs/tracking-domains.ts

@@ -0,0 +1,158 @@
+import type { AllConsentNames } from '../types';
+
+/**
+ * Default tracking domains that require specific consent types
+ */
+const DEFAULT_DOMAIN_CONSENT_MAP: Record<string, AllConsentNames> = {
+	// Analytics/Measurement domains
+	'www.google-analytics.com': 'measurement',
+	'analytics.google.com': 'measurement',
+	'www.googletagmanager.com': 'measurement',
+	'stats.g.doubleclick.net': 'measurement',
+	'ampcid.google.com': 'measurement',
+	'analytics.twitter.com': 'measurement',
+	'analytics.pinterest.com': 'measurement',
+	'dc.services.visualstudio.com': 'measurement',
+	'www.clarity.ms': 'measurement',
+	'www.hotjar.com': 'measurement',
+	'static.hotjar.com': 'measurement',
+	'script.hotjar.com': 'measurement',
+	'insights.hotjar.com': 'measurement',
+	'mouseflow.com': 'measurement',
+	'api.mouseflow.com': 'measurement',
+	'tools.mouseflow.com': 'measurement',
+	'cdn.heapanalytics.com': 'measurement',
+	'plausible.io': 'measurement',
+	'matomo.cloud': 'measurement',
+	'matomo.org': 'measurement',
+	'mixpanel.com': 'measurement',
+	'api.mixpanel.com': 'measurement',
+	'sentry.io': 'measurement',
+	'browser.sentry-cdn.com': 'measurement',
+	'js.monitor.azure.com': 'measurement',
+	'stats.wp.com': 'measurement',
+	'pixel.wp.com': 'measurement',
+	'analytics.amplitude.com': 'measurement',
+	'api2.amplitude.com': 'measurement',
+	'cdn.amplitude.com': 'measurement',
+	'api.segment.io': 'measurement',
+	'cdn.segment.com': 'measurement',
+	'api.segment.com': 'measurement',
+	'pendo.io': 'measurement',
+	'data.pendo.io': 'measurement',
+	'cdn.pendo.io': 'measurement',
+
+	// Marketing/Advertising domains
+	'connect.facebook.net': 'marketing',
+	'platform.twitter.com': 'marketing',
+	'platform.linkedin.com': 'marketing',
+	'www.googleadservices.com': 'marketing',
+	'doubleclick.net': 'marketing',
+	'googleads.g.doubleclick.net': 'marketing',
+	'ad.doubleclick.net': 'marketing',
+	'www.facebook.com': 'marketing',
+	'ads.linkedin.com': 'marketing',
+	'ads-api.tiktok.com': 'marketing',
+	'analytics.tiktok.com': 'marketing',
+	'business.tiktok.com': 'marketing',
+	'ads.pinterest.com': 'marketing',
+	'log.pinterest.com': 'marketing',
+	'ads-twitter.com': 'marketing',
+	'static.ads-twitter.com': 'marketing',
+	'advertising.twitter.com': 'marketing',
+	'ads.yahoo.com': 'marketing',
+	'sp.analytics.yahoo.com': 'marketing',
+	'gemini.yahoo.com': 'marketing',
+	'adroll.com': 'marketing',
+	'a.adroll.com': 'marketing',
+	'd.adroll.com': 'marketing',
+	's.adroll.com': 'marketing',
+	'adform.net': 'marketing',
+	'track.adform.net': 'marketing',
+	'dmp.adform.net': 'marketing',
+	'criteo.com': 'marketing',
+	'static.criteo.net': 'marketing',
+	'bidder.criteo.com': 'marketing',
+	'dynamic.criteo.com': 'marketing',
+	'gum.criteo.com': 'marketing',
+	'taboola.com': 'marketing',
+	'cdn.taboola.com': 'marketing',
+	'trc.taboola.com': 'marketing',
+	'outbrain.com': 'marketing',
+	'widgets.outbrain.com': 'marketing',
+	'tr.outbrain.com': 'marketing',
+	'amplify.outbrain.com': 'marketing',
+	'bing.com': 'marketing',
+	'bat.bing.com': 'marketing',
+	'clarity.ms': 'marketing',
+	'quantserve.com': 'marketing',
+	'secure.quantserve.com': 'marketing',
+	'pixel.quantserve.com': 'marketing',
+	'exelator.com': 'marketing',
+	'load.exelator.com': 'marketing',
+	'api.exelator.com': 'marketing',
+	'ad.360yield.com': 'marketing',
+	'match.360yield.com': 'marketing',
+	'ad.turn.com': 'marketing',
+	'r.turn.com': 'marketing',
+	'd.turn.com': 'marketing',
+
+	// Functionality domains
+	'cdn.jsdelivr.net': 'functionality',
+	'ajax.googleapis.com': 'functionality',
+	'fonts.googleapis.com': 'functionality',
+	'maps.googleapis.com': 'functionality',
+	'www.recaptcha.net': 'functionality',
+	'recaptcha.net': 'functionality',
+	'www.gstatic.com': 'functionality',
+	'fonts.gstatic.com': 'functionality',
+	'cdnjs.cloudflare.com': 'functionality',
+	'unpkg.com': 'functionality',
+	'code.jquery.com': 'functionality',
+	'maxcdn.bootstrapcdn.com': 'functionality',
+	'cdn.datatables.net': 'functionality',
+	'js.stripe.com': 'functionality',
+	'api.stripe.com': 'functionality',
+	'checkout.stripe.com': 'functionality',
+	'js.braintreegateway.com': 'functionality',
+	'api.braintreegateway.com': 'functionality',
+	'cdn.shopify.com': 'functionality',
+	'js.intercomcdn.com': 'functionality',
+	'widget.intercom.io': 'functionality',
+	'cdn.auth0.com': 'functionality',
+	'js.pusher.com': 'functionality',
+	'sockjs.pusher.com': 'functionality',
+
+	// Experience/UX domains
+	'app.optimizely.com': 'experience',
+	'cdn.optimizely.com': 'experience',
+	'logx.optimizely.com': 'experience',
+	'cdn.mouseflow.com': 'experience',
+	'fullstory.com': 'experience',
+	'rs.fullstory.com': 'experience',
+	'edge.fullstory.com': 'experience',
+	'vwo.com': 'experience',
+	'dev.visualwebsiteoptimizer.com': 'experience',
+	'assets.adobedtm.com': 'experience',
+	'cdn.tt.omtrdc.net': 'experience',
+	'demdex.net': 'experience',
+	'sc.omtrdc.net': 'experience',
+	'crazyegg.com': 'experience',
+	'script.crazyegg.com': 'experience',
+	'tracking.crazyegg.com': 'experience',
+	'luckyorange.com': 'experience',
+	'cdn.luckyorange.com': 'experience',
+	'w1.luckyorange.com': 'experience',
+	'upload.luckyorange.com': 'experience',
+	'clicktale.net': 'experience',
+	'cdn.clicktale.net': 'experience',
+	'conductor.clicktale.net': 'experience',
+	'userzoom.com': 'experience',
+	'cdn.userzoom.com': 'experience',
+	'api.userzoom.com': 'experience',
+	'contentsquare.net': 'experience',
+	't.contentsquare.net': 'experience',
+	'app.contentsquare.com': 'experience',
+};
+
+export default DEFAULT_DOMAIN_CONSENT_MAP;

package/src/store.initial-state.ts

@@ -0,0 +1,123 @@
+/**
+ * @packageDocumentation
+ * Provides the default initial state configuration for the consent management store.
+ */
+
+import type { PrivacyConsentState } from './store.type';
+import { defaultTranslationConfig } from './translations';
+import { type ConsentState, consentTypes } from './types';
+
+/**
+ * Default initial state for the consent management store.
+ *
+ * @remarks
+ * This configuration establishes the baseline state for the consent manager,
+ * including default consent values, compliance settings, and privacy preferences.
+ *
+ * Notable defaults include:
+ * - All consents start with their type-specific default values
+ * - GDPR compliance is globally enabled
+ * - CCPA compliance is enabled for US users only
+ * - Do Not Track is respected by default
+ * - Only necessary and marketing consents are included in gdprTypes
+ *
+ * @example
+ * Using the initial state:
+ * ```typescript
+ * const store = createConsentManagerStore();
+ *
+ * // Reset to initial state
+ * store.setState(initialState);
+ *
+ * // Extend initial state
+ * const customState = {
+ *   ...initialState,
+ *   privacySettings: {
+ *     honorDoNotTrack: false
+ *   }
+ * };
+ * ```
+ *
+ * @public
+ */
+export const initialState: Omit<
+	PrivacyConsentState,
+	'getEffectiveConsents' | 'hasConsentFor'
+> = {
+	/** Initial consent states based on default values from consent types */
+	consents: consentTypes.reduce((acc, consent) => {
+		acc[consent.name] = consent.defaultValue;
+		return acc;
+	}, {} as ConsentState),
+
+	/** No consent information stored initially */
+	consentInfo: null,
+
+	/** Show consent popup by default */
+	showPopup: true,
+
+	/** Default GDPR consent types to include */
+	gdprTypes: ['necessary', 'marketing'],
+
+	/** Privacy dialog starts closed */
+	isPrivacyDialogOpen: false,
+
+	/** Default compliance settings per region */
+	complianceSettings: {
+		/** GDPR: Enabled globally by default */
+		gdpr: { enabled: true, appliesGlobally: true, applies: true },
+
+		/** CCPA: Enabled for US only */
+		ccpa: { enabled: true, appliesGlobally: false, applies: undefined },
+
+		/** LGPD: Disabled by default */
+		lgpd: { enabled: false, appliesGlobally: false, applies: undefined },
+
+		/** US State Privacy: Enabled for US only */
+		usStatePrivacy: {
+			enabled: true,
+			appliesGlobally: false,
+			applies: undefined,
+		},
+	},
+
+	/** Empty callbacks object - should be populated by implementation */
+	callbacks: {},
+
+	/** Default to US if no country detected */
+	detectedCountry: 'US',
+
+	/** Default privacy settings */
+	privacySettings: {
+		/** Respect Do Not Track by default */
+		honorDoNotTrack: true,
+	},
+
+	/** Default translation configuration */
+	translationConfig: defaultTranslationConfig,
+
+	/** Don't include non-displayed consents by default */
+	includeNonDisplayedConsents: false,
+
+	/** Use predefined consent types */
+	consentTypes: consentTypes,
+
+	// Initialize all methods as no-ops
+	setConsent: () => {},
+	setShowPopup: () => {},
+	setIsPrivacyDialogOpen: () => {},
+	saveConsents: () => {},
+	resetConsents: () => {},
+	setGdprTypes: () => {},
+	setComplianceSetting: () => {},
+	resetComplianceSettings: () => {},
+	setCallback: () => {},
+	setDetectedCountry: () => {},
+	getDisplayedConsents: () => [],
+	hasConsented: () => false,
+	setTranslationConfig: () => {},
+	clearAllData: () => {},
+	updateConsentMode: () => {},
+	setPrivacySettings: () => {},
+	setIncludeNonDisplayedConsents: () => {},
+};