Fix GA4 consent mode to grant analytics for non-EU/UK visitors

[johnjeremiah]

Previously, the GA4 consent defaults denied analytics_storage for all visitors globally and set wait_for_update: 2000, meaning GA4 would wait up to 2 seconds for CookieYes to resolve geolocation before firing. For visitors on slower connections (mobile, slower CPUs) CookieYes often didn't respond in time, causing GA4 to drop the session entirely and record no pageview. Since ~95% of fleetdm.com's audience is outside the EU/UK and never sees the CookieYes consent banner, this wait was unnecessary for the vast majority of visitors.

Replaces the single global consent default with two region-scoped calls:

• All visitors: analytics_storage granted immediately (no wait_for_update)
• EU/EEA/UK/Switzerland only: analytics_storage denied, wait_for_update: 2000

This matches how CookieYes Advanced Consent Mode is intended to work — the consent banner and its associated wait only apply where legally required (GDPR/UK GDPR).

Also fixes the internal referrer check in the Salesforce attribution helper, which was using strict equality against 'https://fleetdm.com/' and missing any visitor whose last internal page was /pricing, /blog, etc. Changed to startsWith so any fleetdm.com referrer is correctly classified as direct traffic.

Summary by CodeRabbit

• Bug Fixes
  • Improved attribution logic to better recognize site-origin referrers and avoid misclassifying parsing failures as direct traffic.
  • Updated Google Consent Mode defaults to apply stricter consent behavior for EU/EEA/UK/Switzerland and more permissive defaults for visitors elsewhere, honoring regional consent handling.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 92911885-0df2-4f18-be8b-160e8492efad

📥 Commits

Reviewing files that changed from the base of the PR and between 59abb4e and 92d5656.

📒 Files selected for processing (1)

• website/api/helpers/salesforce/update-or-create-contact-and-account.js

🚧 Files skipped from review as they are similar to previous changes (1)

• website/api/helpers/salesforce/update-or-create-contact-and-account.js

---

Walkthrough

This PR updates two areas: (1) the Salesforce helper now parses marketingAttributionCookie.referrer and treats a referrer as Fleet-origin when the hostname equals fleetdm.com or ends with .fleetdm.com (case-insensitive), and it no longer forces "Direct traffic" for unparseable referrers; (2) the site layout adds two gtag("consent","default",...) calls to apply immediate analytics/functionality consent for non-EU/UK visitors and deny analytics/functionality (with wait_for_update: 2000) for EU/EEA/UK/Switzerland.

Possibly related PRs

• fleetdm/fleet#46096: Touches referrer-derived attribution logic from marketingAttributionCookie/attributionDetails, relating to the same referrer handling.
• fleetdm/fleet#45807: Also modifies how marketingAttributionCookie.referrer is parsed/used for Salesforce attribution fields.
• fleetdm/fleet#44952: Modifies the Google Consent Mode initialization in the same layout.ejs consent script logic.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the problem (GA4 wait causing dropped sessions for non-EU visitors) and the solution (region-scoped consent calls), but does not follow the required template or address testing, validation, or changes file requirements.	Use the provided template structure: add Related issue field, complete the Checklist sections (changes file, testing, validation), and verify QA and automated tests were performed for the consent and referrer changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the primary change: fixing GA4 consent mode to grant analytics for non-EU/UK visitors, which addresses the core issue described in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jj-refine-consent-settings-for-non-gdpr

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@website/api/helpers/salesforce/update-or-create-contact-and-account.js`:
- Around line 281-282: The referrer check that uses
marketingAttributionCookie.referrer.startsWith('https://fleetdm.com') can be
spoofed by domains like fleetdm.com.evil.com; replace the string prefix check in
the block that sets direct/internal referrer logic with proper URL hostname
parsing: use the URL constructor in a try/catch to extract referrerHostname from
marketingAttributionCookie.referrer, then treat it as internal if
referrerHostname === 'fleetdm.com' or referrerHostname.endsWith('.fleetdm.com');
ensure you still handle missing/invalid referrer values the same way (the same
branch that currently checks marketingAttributionCookie.referrer and startsWith
should be updated to use this hostname-based test).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 76a2876a-f24a-4764-9537-6aeffa270b45

📥 Commits

Reviewing files that changed from the base of the PR and between 64f6018 and ac8c03e.

📒 Files selected for processing (2)

• website/api/helpers/salesforce/update-or-create-contact-and-account.js
• website/views/layouts/layout.ejs