Merge pull request #2347 from broadinstitute/jb-appcues-removal

Removing all AppCues integration (SCP-6095)

Author: bistline

app/javascript/lib/metrics-api.js

@@ -98,10 +98,6 @@ export function logClick(event) {
     return
   }
 
-  if (window.Appcues) {
-    logAppcuesClicks()
-  }
-
   // we use closest() so we don't lose clicks on, e.g. icons within a link/button
   // (and we have to use $.closest since IE still doesn't have built-in support for it)
   if (target.closest('a').length) {
@@ -115,44 +111,6 @@ export function logClick(event) {
   }
 }
 
-/**
- * Logs Appcues public events to Mixpanel
- * https://docs.appcues.com/article/161-javascript-api
- *
- * Event prop building borrowed from Terra UI
- * https://github.com/DataBiosphere/terra-ui/pull/2463/files
- */
-function logAppcuesClicks() {
-  window.Appcues.on('all', (eventName, event) => {
-    const eventProps = {
-      'appcues.flowId': event.flowId,
-      'appcues.flowName': event.flowName,
-      'appcues.flowType': event.flowType,
-      'appcues.flowVersion': event.flowVersion,
-      'appcues.id': event.id,
-      'appcues.interaction.category': event.interaction?.category,
-      'appcues.interaction.destination': event.interaction?.destination,
-      'appcues.interaction.element': event.interaction?.element,
-      'appcues.interaction.fields': JSON.stringify(event.interaction?.fields),
-      'appcues.interaction.formId': event.interaction?.formId,
-      'appcues.interaction.text': event.interaction?.text, // not documented by Appcues, but observed and useful
-      'appcues.interactionType': event.interactionType,
-      'appcues.localeId': event.localeId,
-      'appcues.localeName': event.localeName,
-      'appcues.name': event.name,
-      'appcues.sessionId': event.sessionId,
-      'appcues.stepChildId': event.stepChildId,
-      'appcues.stepChildNumber': event.stepChildNumber,
-      'appcues.stepId': event.stepId,
-      'appcues.stepNumber': event.stepNumber,
-      'appcues.stepType': event.stepType,
-      'appcues.timestamp': event.timestamp
-    }
-    log(eventName, eventProps)
-    log('appcues:event', eventProps)
-  })
-}
-
 /** Log clicks on SVG element of analytics interest */
 export function logClickOther(target) {
   const props = {
@@ -522,8 +480,6 @@ export function log(name, props = {}) {
 
   init = Object.assign(init, body)
 
-  window.Appcues && window.Appcues.identify(window.SCP.userId)
-
   if (('SCP' in window && !window.SCP.isTest) || metricsApiMock) {
     const url = `${bardDomain}/api/event/`
     fetch(url, init).then(response => {

app/views/layouts/application.html.erb

@@ -43,7 +43,7 @@
       window.SCP.featuredSpace = 'covid19'
       <% end %>
 
-      // Set the unique cookie for tracking user IDs in GA.  Also used in Mixpanel and Appcues.
+      // Set the unique cookie for tracking user IDs in GA.  Also used in Mixpanel.
       // This is not personally identifiable, lasts for 1 year or until cleared.
       if ( typeof Cookies.get('user_id') === 'undefined' ) {
         Cookies.set('user_id', '<%= user_signed_in? ? current_user.get_metrics_uuid : SecureRandom.uuid %>', {expires: 365})
@@ -81,12 +81,6 @@
     </style>
   <% end %>
 
-  <script type="text/javascript"  nonce="<%= content_security_policy_script_nonce %>">
-  window.AppcuesSettings = {
-    enableURLDetection: true
-  };
-</script>
-<script type="text/javascript" nonce="<%= content_security_policy_script_nonce %>" src="https://fast.appcues.com/49767.js"></script>
 
 </head>
 <body <%= @selected_branding_group.present? ? "data-branding-id=#{@selected_branding_group.name_as_id}" : nil %>>

config/initializers/content_security_policy.rb

@@ -68,11 +68,7 @@
     allowed_connect_sources.push('ws://localhost:3036')
     allowed_connect_sources.push('ws://127.0.0.1:3036')
   end
-  # For appcues
-  allowed_connect_sources.push('https://*.appcues.com')
-  allowed_connect_sources.push('https://*.appcues.net')
-  allowed_connect_sources.push('wss://*.appcues.net')
-  allowed_connect_sources.push('wss://*.appcues.com')
+
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
@@ -81,7 +77,7 @@
     # directive values: these values will directly translate into source directives
     default_src: %w('self'),
     block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
-    frame_src: %w('self' https://*.appcues.com), # if child-src isn't supported, the value for frame-src will be set.
+    frame_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
     font_src: %w('self' data: https://fonts.googleapis.com https://fonts.google.com https://fonts.gstatic.com ),
     form_action: %w('self' https://accounts.google.com),
     connect_src: allowed_connect_sources,
@@ -92,9 +88,8 @@
     script_src: %w('self' blob: 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' https://cdn.plot.ly https://cdn.datatables.net
                      https://www.google-analytics.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com
                      https://use.fontawesome.com https://js-agent.newrelic.com https://bam.nr-data.net
-                     https://*.appcues.com https://*.appcues.net https://*.soe.ucsc.edu),
-    style_src: %w('self' blob: https://maxcdn.bootstrapcdn.com
-                      https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline'),
+                     https://*.soe.ucsc.edu),
+    style_src: %w('self' blob: https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline'),
     upgrade_insecure_requests: true # see https://www.w3.org/TR/upgrade-insecure-requests/
   }