Skip to content

GPT integration#282

Open
ChristianPavilonis wants to merge 7 commits intomainfrom
feature/gpt-integration
Open

GPT integration#282
ChristianPavilonis wants to merge 7 commits intomainfrom
feature/gpt-integration

Conversation

@ChristianPavilonis
Copy link
Collaborator

@ChristianPavilonis ChristianPavilonis commented Feb 10, 2026
edited
Loading

What this does
Proxies gpt.js script and additional scripts loaded by gpt.js that do the heavy lifting for ad calls for google.

Change Summary

  • Add a new GPT (Google Publisher Tags) integration that proxies the entire GPT script cascade through the publisher's first-party domain, eliminating third-party script loads to securepubads.g.doubleclick.net
  • Server-side: Rust module with HTML attribute rewriting, bootstrap script serving (/integrations/gpt/script), and wildcard proxy endpoints (/pagead/, /tag/) that serve Google's scripts verbatim
  • Client-side: TypeScript script guard with six interception layers (document.write, src property descriptor, setAttribute, createElement, DOM insertion patches, MutationObserver) to catch and rewrite all dynamically inserted GPT scripts back through the proxy
  • Includes a googletag.cmd command queue patch as a hook point for future synthetic ID targeting injection and consent gating
  • Adds integration documentation, unit tests (Rust + TypeScript), and default config in trusted-server.toml

Closes #227

Verifying GPT Script Proxying in the Browser
To confirm that GPT scripts are being proxied through the trusted server domain:

  1. Open DevTools > Network tab on a page with GPT ads
  2. Filter by JS or search for gpt
  3. Look for requests to your publisher domain (e.g. publisher.com/integrations/gpt/script and publisher.com/integrations/gpt/pagead/...) instead of securepubads.g.doubleclick.net
  4. Proxied responses will include the response headers X-GPT-Proxy: true and X-Script-Source:
  5. In the Console tab, look for log messages prefixed with GPT guard: confirming the interception layers are active (e.g. "GPT guard: rewriting document.write script src")

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 10, 2026
View reviewed changes
crates/js/lib/src/integrations/gpt/script_guard.ts Outdated

/** Google ad-serving domains whose URLs should be proxied (exact match). */
const GPT_DOMAINS = [
'securepubads.g.doubleclick.net',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'doubleclick.net', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
/** Google ad-serving domains whose URLs should be proxied (exact match). */
const GPT_DOMAINS = [
'securepubads.g.doubleclick.net',
'pagead2.googlesyndication.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googlesyndication.com', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
const GPT_DOMAINS = [
'securepubads.g.doubleclick.net',
'pagead2.googlesyndication.com',
'tpc.googlesyndication.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googlesyndication.com', so it might match more hosts than expected.

Copilot Autofix

AI about 22 hours ago

In general, to avoid incomplete hostname regular expressions, any string used to build a regex should be run through a generic “escape for regex literal” function that escapes all regex metacharacters, not only dots. This ensures future additions to GPT_DOMAINS cannot accidentally introduce patterns that match more than the literal hostname.

Concretely, in crates/js/lib/src/integrations/gpt/script_guard.ts, the fallback block in rewriteUrl currently builds the regex with:

new RegExp(`https?://(?:www\\.)?${domain.replace(/\./g, '\\.')}`, 'i')

This manually escapes only dots in domain. Replace this with a helper escapeRegex (defined in this file) that escapes every regex metacharacter: \ ^ $ * + ? . ( ) | { } [ ]. Use that helper both for domain and for any other future regex constructions based on literal strings if needed. The change is localized to this file: add the helper function (near the top, after constants or helpers) and change the new RegExp(...) call to use escapeRegex(domain) instead of domain.replace(/\./g, '\\.'). No behavior changes for current values, but it becomes robust and satisfies the security rule.

Suggested changeset 1
crates/js/lib/src/integrations/gpt/script_guard.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/crates/js/lib/src/integrations/gpt/script_guard.ts b/crates/js/lib/src/integrations/gpt/script_guard.ts
--- a/crates/js/lib/src/integrations/gpt/script_guard.ts
+++ b/crates/js/lib/src/integrations/gpt/script_guard.ts
@@ -54,6 +54,13 @@
 /** Integration route prefix on the first-party domain. */
 const PROXY_PREFIX = '/integrations/gpt';
 
+/**
+ * Escape a string so it can be safely used inside a RegExp literal.
+ */
+function escapeRegex(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 // ---------------------------------------------------------------------------
 // URL matching and rewriting
 // ---------------------------------------------------------------------------
@@ -98,7 +105,7 @@
       if (lower.includes(domain)) {
         const prefix = hostPrefixForDomain(domain);
         return originalUrl.replace(
-          new RegExp(`https?://(?:www\\.)?${domain.replace(/\./g, '\\.')}`, 'i'),
+          new RegExp(`https?://(?:www\\.)?${escapeRegex(domain)}`, 'i'),
           `${window.location.protocol}//${window.location.host}${PROXY_PREFIX}${prefix}`,
         );
       }
EOF
@@ -54,6 +54,13 @@
/** Integration route prefix on the first-party domain. */
const PROXY_PREFIX = '/integrations/gpt';

/**
* Escape a string so it can be safely used inside a RegExp literal.
*/
function escapeRegex(value: string): string {
return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

// ---------------------------------------------------------------------------
// URL matching and rewriting
// ---------------------------------------------------------------------------
@@ -98,7 +105,7 @@
if (lower.includes(domain)) {
const prefix = hostPrefixForDomain(domain);
return originalUrl.replace(
new RegExp(`https?://(?:www\\.)?${domain.replace(/\./g, '\\.')}`, 'i'),
new RegExp(`https?://(?:www\\.)?${escapeRegex(domain)}`, 'i'),
`${window.location.protocol}//${window.location.host}${PROXY_PREFIX}${prefix}`,
);
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
'pagead2.googlesyndication.com',
'tpc.googlesyndication.com',
'googletagservices.com',
'www.googletagservices.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googletagservices.com', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
'tpc.googlesyndication.com',
'googletagservices.com',
'www.googletagservices.com',
'cm.g.doubleclick.net',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'doubleclick.net', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

crates/js/lib/src/integrations/gpt/script_guard.ts Outdated
'cm.g.doubleclick.net',
'ep1.adtrafficquality.google',
'ep2.adtrafficquality.google',
'www.googleadservices.com',

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This string, which is used as a regular expression [here](1), has an unescaped '.' before 'googleadservices.com', so it might match more hosts than expected.

Copilot Autofix

AI about 2 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

@ChristianPavilonis ChristianPavilonis linked an issue Feb 11, 2026 that may be closed by this pull request
As publisher I want to host GPT script in publisher domain #227
Open
@ChristianPavilonis
Copy link
Collaborator Author

ChristianPavilonis commented Feb 11, 2026

We should consider the scope of this integration.

Currently this is doing a lot of rewriting and proxying it's not catching everything but many scripts and 3rd party calls are proxied through the 1st party context.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 12, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 12, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 12, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 13, 2026
View reviewed changes
github-code-quality[bot]
github-code-quality bot found potential problems Feb 13, 2026
View reviewed changes
@ChristianPavilonis ChristianPavilonis marked this pull request as ready for review February 13, 2026 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aram356 aram356 Awaiting requested review from aram356

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@ChristianPavilonis ChristianPavilonis

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

As publisher I want to host GPT script in publisher domain

1 participant

@ChristianPavilonis