Add filter to apply Base64 encoding to order attribution cookies

[layoutd]

Changes proposed in this Pull Request:

In the continuing effort to make the order attribution functionality available for stores on any servers, and in light of several recent mentions of different web application firewalls and rulesets that are still being incorrectly triggered, this PR:

• Bumps the Sourcebuster version to the new v1.2.0 which, among other things, adds a configuration parameter to enable Base64 encoding of the cookie values.
• Adds a new wc_order_attribution_use_base64_cookies filter flag to enable Base64 encoding for Sourcebuster cookies. Merchants who have been blocked from updating to a newer version of WooCommerce due to WAFs falsely flagging the Sourcebuster cookies should hopefully be able to get around this by enabling this encoding.

Related to #43681 and #43413.

Notes:

• When enabled, all new and updated cookie values are Base64 encoded. Existing cookies will remain unencoded, but are still readable and, since cookie lifetime is just the session, they will be recreated in the correct format on the next visit.
• The new Sourcebuster version also enables several new UTM parameters, but capturing those during checkout will be implemented in an accompanying PR. (Add order attribution GA4 UTM parameters #47639 )
• 👋🏻 Just pointing out that the Base64 encoding process in Sourcebuster removes any = from the end of the resulting string after encoding, to ensure the value is solely alphanumeric.

How to test the changes in this Pull Request:

👉🏻 Prerequisites: store with products and configured to allow checkouts and with order attribution enabled.

Test1: Order attribution works as normal with the new Sourcebuster version (no filter enabled)

1. Visit the shop in a new browser session (incognito, for example)
2. In the dev console, execute the snippet wc_order_attribution.getAttributionData() and see that source data is retrieved (probably source_type:'typein')
3. Confirm that the sbjs_* cookies are in the original format (URL encoded, param=value|||param=value|||…):
   
4. Add items to the cart and check out.
5. Confirm in the order edit page that order attribution data is available
   

**Test 2: Order attribution works with new filter **

1. Add the filter to enable Base64: add_filter( 'wc_order_attribution_use_base64_cookies', '__return_true' );
2. In a new browser session without existing cookeis (incongnito), visit the shop with UTM params site.com/shop/?utm_source=test_source_base64&utm_campaign=Éürøpãp🅰️&utm_medium=test_medium
3. Check in the cookies to see that the cookie values are Base64 (just alphanumeric, no % or =).
   
4. In the dev console, execute the snippet wc_order_attribution.getAttributionData() and see that source data is retrieved
5. Run the JavaScript snippet to confirm data is accurate wc_order_attribution.getAttributionData()
6. Complete the checkout and confirm that order attribution data was captured.
   

**Test 3: Order attribution works with for users who have cookies in the old format **

1. Disable the filter.
2. Visit the shop in a new browser session, UTM params: site.com/shop/?utm_source=test_source_base64&utm_campaign=Éürøpãp🅰️&utm_medium=test_medium
3. Confirm that all the cookies are in the original format (see test 1, step 3).
4. Enable the filter.
5. Navigate to another page.
6. Confirm that SOME cookies have been updated to Base64 encoding (see explanation in this comment on Sourcebuster PR: Allow base64 encoded cookie content  sourcebuster-js#6 (comment))
   
7. In the dev console, execute the snippet wc_order_attribution.getAttributionData() and see that source data is retrieved
8. Add items to the cart and check out.
9. Confirm in the order edit page that order attribution data is available
   

Test 4: Order attribution works with for users who have cookies in the new format if the filter is disabled

1. Enable the filter.
2. Visit the shop in a new browser session, UTM params: site.com/shop/?utm_source=test_source_base64&utm_campaign=Éürøpãp🅰️&utm_medium=test_medium
3. Confirm that all the cookies are Base64 encoded (see test 2, step 3).
4. Disable the filter.
5. Navigate to another page.
6. Confirm that SOME cookies have been updated to the old format (see explanation in this comment on Sourcebuster PR: Allow base64 encoded cookie content  sourcebuster-js#6 (comment))
   
7. In the dev console, execute the snippet wc_order_attribution.getAttributionData() and see that source data is retrieved
8. Add items to the cart and check out.
9. Confirm in the order edit page that order attribution data is available
   

Test 5: Order attribution works with filter enabled using other checkout type

1. Change the store checkout type (from Classic to Block, or viceversa).
2. Repeat steps from Test 2.

Changelog entry

• Automatically create a changelog entry from the details below.

Significance

• Patch
• Minor
• Major

Type

• Fix - Fixes an existing bug
• Add - Adds functionality
• Update - Update existing functionality
• Dev - Development related task
• Tweak - A minor adjustment to the codebase
• Performance - Address performance issues
• Enhancement - Improvement to existing functionality

Message

Comment

[github-actions]

Test using WordPress Playground

The changes in this pull request can be previewed and tested using a WordPress Playground instance.
WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Test this pull request with WordPress Playground.

Note that this URL is valid for 30 days from when this comment was last updated. You can update it by closing/reopening the PR or pushing a new commit.

[github-actions]

Hi , @woocommerce/ventures

Apart from reviewing the code changes, please make sure to review the testing instructions as well.

You can follow this guide to find out what good testing instructions should look like:
https://github.com/woocommerce/woocommerce/wiki/Writing-high-quality-testing-instructions

[ecgan]

Tested, works as expected. The code changes look good. 👍

I have just one small comment about the PR description / test instruction:

3. Check in the cookies to see that the cookie values are Base64 (just alphanumeric, no % or =).

I'm thinking it may be good to mention why the base64 encoded values do not have the = padding (reference: woocommerce/sourcebuster-js#6 (comment)), for our future selves and for the uninitiated (it can be confusing for other people because it may not be exactly base64 encoded values since the = is removed).

[layoutd]

Thanks @ecgan! I added another note to the PR description.