feat: Implement consent page that runs on (firefox) install/update (#138)

This PR implements a dedicated webpage for requesting consent from
firefox users on install or update (only if consent version changes).

<img width="1509" alt="Screenshot 2025-06-19 at 10 09 43"
src="https://github.com/user-attachments/assets/1a77e8dc-e677-4740-b262-2708022902c9"
/>

Author: spalmurray

.github/workflows/publish.yml

@@ -55,12 +55,12 @@ jobs:
           CLIENT_ID: ${{ secrets.GOOGLE_WEB_STORE_CLIENT_ID }}
           CLIENT_SECRET: ${{ secrets.GOOGLE_WEB_STORE_CLIENT_SECRET }}
           REFRESH_TOKEN: ${{ secrets.GOOGLE_WEB_STORE_REFRESH_TOKEN }}
-      # - name: Publish to Firefox
-      #   working-directory: dist-firefox
-      #   run: npx web-ext sign
-      #   env:
-      #     WEB_EXT_API_KEY: ${{ secrets.WEB_EXT_JWT_ISSUER }}
-      #     WEB_EXT_API_SECRET: ${{ secrets.WEB_EXT_JWT_SECRET }}
-      #     WEB_EXT_CHANNEL: listed
-      #     WEB_EXT_API_UPLOAD_SOURCE_CODE: ../codecov-browser-extension-${{ github.event.release.tag_name }}.tar.gz
-      #     WEB_EXT_APPROVAL_TIMEOUT: 0 # Disable timeout for approval
+      - name: Publish to Firefox
+        working-directory: dist-firefox
+        run: npx web-ext sign
+        env:
+          WEB_EXT_API_KEY: ${{ secrets.WEB_EXT_JWT_ISSUER }}
+          WEB_EXT_API_SECRET: ${{ secrets.WEB_EXT_JWT_SECRET }}
+          WEB_EXT_CHANNEL: listed
+          WEB_EXT_API_UPLOAD_SOURCE_CODE: ../codecov-browser-extension-${{ github.event.release.tag_name }}.tar.gz
+          WEB_EXT_APPROVAL_TIMEOUT: 0 # Disable timeout for approval

public/consent.html

@@ -0,0 +1,103 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <title>Codecov Browser Extension</title>
+    <script src="consent.js"></script>
+    <link rel="preconnect" href="https://fonts.googleapis.com" />
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:[email protected]&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      html {
+        height: 100vh;
+      }
+
+      body {
+        font-family: "Inter", sans-serif;
+        font-weight: 400;
+        font-size: 20px;
+        line-height: 30px;
+        letter-spacing: 0%;
+        text-align: center;
+        color: rgb(14, 27, 41);
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        height: 100%;
+        margin: 0;
+      }
+
+      div#content {
+        max-width: 796px;
+        flex-grow: 0;
+        flex-shrink: 1;
+      }
+
+      h1 {
+        font-size: 60px;
+        line-height: 100%;
+      }
+
+      a {
+        text-decoration: none;
+      }
+
+      button {
+        width: 214px;
+        height: 49px;
+        border-radius: 4px;
+        border-width: 1px;
+        padding-top: 4px;
+        padding-right: 16px;
+        padding-bottom: 4px;
+        padding-left: 16px;
+        background: rgba(0, 149, 255, 1);
+        border: 1px solid rgba(1, 88, 150, 1);
+        box-shadow: 0px 1px 3px 0px rgba(0, 0, 0, 0.1);
+        box-shadow: 0px 1px 2px 0px rgba(0, 0, 0, 0.06);
+
+        font-size: 18px;
+        line-height: 150%;
+        text-align: center;
+        vertical-align: middle;
+        color: rgba(255, 255, 255, 1);
+
+        cursor: pointer;
+      }
+    </style>
+  </head>
+  <body>
+    <div id="content">
+      <svg
+        width="108"
+        height="103"
+        viewBox="0 0 108 103"
+        fill="none"
+        xmlns="http://www.w3.org/2000/svg"
+      >
+        <path
+          d="M54.1288 0C24.2973 0 0 24.0054 0 53.2965V53.5371L9.14057 58.8228H9.38155C15.1567 54.9809 22.1368 53.5371 29.1086 54.7403C33.9198 55.7028 38.4901 57.8602 42.0965 61.2208L43.7833 62.6646L44.7472 60.7478C45.7112 58.8311 46.6751 57.1466 47.6307 55.4622C48.1126 54.7403 48.5946 54.259 49.0766 53.5454L50.0405 52.3422L48.8356 51.3797C43.7833 47.2972 37.7672 44.4179 31.2691 43.2147C25.0119 42.0115 18.7548 42.2522 12.9879 44.1772C17.3255 25.2086 34.1608 11.7662 54.1288 11.7662C65.4382 11.7662 76.0246 16.0893 83.9603 24.0137C89.7355 29.5317 93.5828 36.5018 95.2697 44.1772C91.6633 42.9741 87.8076 42.4928 83.9603 42.4928H83.2374C81.7915 42.4928 80.3539 42.7334 78.6671 42.7334H78.4261C77.9441 42.7334 77.2212 42.9741 76.7392 42.9741C75.7753 43.2147 75.0524 43.2147 74.0968 43.4553L73.3739 43.696C72.6509 43.9366 71.928 44.1772 71.205 44.4179H70.9641C69.2772 44.8991 67.8397 45.621 66.1528 46.3347C65.4299 46.5753 64.7069 47.0566 63.984 47.5378H63.743C60.1366 49.6952 56.7629 52.3422 54.1205 55.7028L53.8795 56.1841C53.1566 57.1466 52.6746 57.8685 52.1927 58.3415C51.7107 58.8228 51.4697 59.5447 50.9878 60.2583L50.7468 60.7395C50.2648 61.4615 50.0239 62.1834 49.7829 62.6563V62.897C49.0599 64.3408 48.337 66.0169 47.855 67.7014V67.942C46.6502 71.7839 45.9272 75.8664 45.9272 80.1895V84.7532C45.9272 85.2345 46.1682 85.9564 46.1682 86.4377C47.3731 92.1963 50.0155 97.7226 54.1039 102.759L54.3448 103L54.5858 102.759C56.2727 100.843 60.12 94.835 60.602 91.2338C58.6742 87.6326 57.7185 83.5501 57.7185 79.7082C57.7185 66.2659 68.305 54.9809 82.0158 54.259H82.9798C88.514 54.0184 94.0482 55.7028 98.6185 58.8228H98.8594L108 53.5371V53.2965C108 39.1322 102.466 25.6898 92.1203 15.6081C82.0408 5.51801 68.5709 0 54.1288 0Z"
+          fill="#FF0077"
+        />
+      </svg>
+      <h1>Codecov Browser Extension</h1>
+      <p>
+        If you're seeing this, we've updated our
+        <a
+          href="https://addons.mozilla.org/en-US/firefox/addon/codecov/privacy/"
+          target="_blank"
+          >privacy policy</a
+        >.
+      </p>
+      <p>
+        By clicking 'Accept', you confirm that you understand and agree to the
+        privacy policy of the Codecov Browser Extension. Should you decide not
+        to accept, please note that the extension will not work.
+      </p>
+      <br />
+      <button id="codecov-consent-accept">Accept</button>
+    </div>
+  </body>
+</html>

public/consent.js

@@ -0,0 +1,18 @@
+document.addEventListener("DOMContentLoaded", function () {
+  var button = document.getElementById("codecov-consent-accept");
+  button.addEventListener("click", async function () {
+    const result = await browser.runtime.sendMessage({
+      type: "set_consent",
+      payload: true,
+    });
+
+    if (result) {
+      console.log("Consent granted, closing tab");
+      close();
+    } else {
+      console.error(
+        "Something went wrong saving consent. Please report this at https://github.com/codecov/codecov-browser-extension/issues"
+      );
+    }
+  });
+});

src/background/main.ts

@@ -12,22 +12,27 @@ import {
   unregisterContentScriptIfExists,
 } from "./dynamic_content_scripts";
 
-async function main(): Promise<void> {
-  browser.runtime.onMessage.addListener(handleMessages);
-
-  sentryInit({
-    dsn: process.env.SENTRY_DSN,
-
-    integrations: [
-      browserTracingIntegration({
-        // disable automatic span creation
-        instrumentNavigation: false,
-        instrumentPageLoad: false,
-      }),
-    ],
+async function handleConsent(): Promise<void> {
+  const consent = await new Codecov().getConsent();
+  if (!consent) {
+    const url = browser.runtime.getURL("consent.html");
+    await browser.tabs.create({ url, active: true });
+  }
+}
 
-    tracesSampleRate: 1.0,
+async function main(): Promise<void> {
+  browser.runtime.onInstalled.addListener(async ({ reason, temporary }) => {
+    switch (reason) {
+      case "install": {
+        await handleConsent();
+      }
+      case "update": {
+        await handleConsent();
+      }
+    }
   });
+
+  browser.runtime.onMessage.addListener(handleMessages);
 }
 
 async function handleMessages(message: {
@@ -36,6 +41,25 @@ async function handleMessages(message: {
   referrer?: string;
 }) {
   const codecov = new Codecov();
+  if (await codecov.getConsent()) {
+    console.log("Have data consent, initializing Sentry");
+    sentryInit({
+      dsn: process.env.SENTRY_DSN,
+
+      integrations: [
+        browserTracingIntegration({
+          // disable automatic span creation
+          instrumentNavigation: false,
+          instrumentPageLoad: false,
+        }),
+      ],
+
+      tracesSampleRate: 1.0,
+    });
+  } else {
+    console.log("Do not have data consent, not initializing Sentry");
+  }
+
   return startSpan({ name: message.type }, async () => {
     switch (message.type) {
       case MessageType.FETCH_COMMIT_REPORT:
@@ -48,6 +72,10 @@ async function handleMessages(message: {
         return codecov.listComponents(message.payload, message.referrer!);
       case MessageType.CHECK_AUTH:
         return codecov.checkAuth(message.payload);
+      case MessageType.GET_CONSENT:
+        return codecov.getConsent();
+      case MessageType.SET_CONSENT:
+        return codecov.setConsent(message.payload);
       case MessageType.REGISTER_CONTENT_SCRIPTS:
         return registerContentScript(message.payload);
       case MessageType.UNREGISTER_CONTENT_SCRIPTS:

src/constants.ts

@@ -1,3 +1,7 @@
+// The version number here should represent the last version where consent requirement was updated.
+// We must update the key's version to re-request consent whenever the data we collect changes.
+export const consentStorageKey = "codecov-consent-0.5.9";
+
 export const codecovApiTokenStorageKey = "self_hosted_codecov_api_token";
 export const selfHostedCodecovURLStorageKey = "self_hosted_codecov_url";
 export const selfHostedGitHubURLStorageKey = "self_hosted_github_url";

src/content/github/common/consent.ts

@@ -1,9 +1,3 @@
-// The version number here should represent the last version where consent requirement was updated.
-// We must update the key's version to re-request consent whenever the data we collect changes.
-export const consentStorageKey = "codecov-consent-0.5.9";
-export const consentDialogCopy =
-  "By clicking OK, you agree to the Codecov browser extension's privacy policy (https://addons.mozilla.org/en-US/firefox/addon/codecov/privacy/). This message will reappear if you click Cancel. If you do not wish to agree, please uninstall the extension.";
-
 export const animationName = "codecov-gh-observer";
 
 export const animationDefinitionId = `${animationName}-keyframe`;

src/content/github/common/constants.ts

@@ -101,3 +101,11 @@ export async function getPRReport(url: any) {
 
   return response.data;
 }
+
+export async function getConsent() {
+  const response = await browser.runtime.sendMessage({
+    type: MessageType.GET_CONSENT,
+  });
+
+  return response;
+}

src/content/github/common/fetchers.ts

@@ -29,10 +29,10 @@ import {
   getCommitReport,
   getFlags,
   getBranchReport,
+  getConsent,
 } from "../common/fetchers";
 import { print } from "src/utils";
 import Sentry from "../../common/sentry";
-import { ensureConsent } from "../common/consent";
 
 const globals: {
   coverageReport?: FileCoverageReport;
@@ -60,8 +60,7 @@ function init(): Promise<void> {
 
 async function main(): Promise<void> {
   try {
-    const consent = await ensureConsent();
-    if (!consent) {
+    if (!(await getConsent())) {
       return;
     }
 

src/content/github/file/main.tsx

@@ -12,19 +12,17 @@ import {
 import { lineSelector } from "./constants";
 import { colors } from "../common/constants";
 import { print } from "src/utils";
-import { getPRReport } from "../common/fetchers";
+import { getConsent, getPRReport } from "../common/fetchers";
 import { isPrUrl } from "../common/utils";
 import Sentry from "src/content/common/sentry";
-import { ensureConsent } from "../common/consent";
 
 const globals: {
   coverageReport?: PullCoverageReport;
 } = {};
 
 async function main() {
   try {
-    const consent = await ensureConsent({ checkOnly: true });
-    if (!consent) {
+    if (!(await getConsent())) {
       return;
     }