The Content-Security-Policy (CSP) header aims to protect your application against malicious resource injection in your web apps. To make it simple, you provide a whitelist of allowed domain origins for all your images, scripts, styles and so on.
Meanwhile, Marketing team is using Google Tag Manager (GTM) to manage tags. The principle is to gather information from a page, send them to GTM and use those data as variables to generate tags, a mix of templated JS/HTML and those variables.
The problem is that most of those tags contain javascript, for sending very specific data to trackers, ad servers or whatever partners. Let's assume my marketing team is aware of security risks and will not include malicious script.
Is there a way to know which domains are imported by GTM so they can be automatically added on my CSP?
The Content-Security-Policy (CSP) header aims to protect your application against malicious resource injection in your web apps. To make it simple, you provide a whitelist of allowed domain origins for all your images, scripts, styles and so on.
Meanwhile, Marketing team is using Google Tag Manager (GTM) to manage tags. The principle is to gather information from a page, send them to GTM and use those data as variables to generate tags, a mix of templated JS/HTML and those variables.
The problem is that most of those tags contain javascript, for sending very specific data to trackers, ad servers or whatever partners. Let's assume my marketing team is aware of security risks and will not include malicious script.
Is there a way to know which domains are imported by GTM so they can be automatically added on my CSP?
Share Improve this question edited Dec 5, 2016 at 12:53 Alain asked Dec 5, 2016 at 12:35 AlainAlain 37k17 gold badges127 silver badges160 bronze badges 2- 3 For a given value of "automatically" you can download custom image tags and custom html tags via the GTM API and parse them for strings that might indicate an origin domain. However I think "let's assume nobody does anything malicious" is not a good approach when you are talking about security features. A few related slides from a talk I did recently might help to illustrate why: slideshare/EikePierstorff/… – Eike Pierstorff Commented Dec 5, 2016 at 13:04
- Excellent presentation, even better on Youtube. You describe GTM very well, "XSS as a Service", conflicting with CSP. As Google created GTM I think it is (or at least, should) be used by people aware of security risks that's why I'm assuming what's given to GTM is safe. Anyway, I'll think about that later on, thanks for your insights. – Alain Commented Dec 5, 2016 at 14:05
2 Answers
Reset to default 3This a big problem and I'm surprised how little information there is on this. Beware of any solutions that suggest setting unsafe-inline in your CSP as makes the policy so weak it's almost useless.
To answer your direct question, there is no way of knowing which domains are used by GTM programmatically. I remend setting CSP to report only mode and using the errors as your guide to creating the whitelist.
To answer the broader question of how to make them coexist, the primary solution is to use a nonce value and the nonce-aware GTM script as described here by Google here https://developers.google./tag-manager/web/csp.
In short:
- Generate a nonce value - this needs to be done on every page load to be effective
- Whitelist the nonce in your CSP
- Apply it to any inline scripts inluding GTM
- Whitelist any hosts that resources loaded by GTM use
However, this solution is inplete as GTM doesn't seem to propagate the nonce to any Custom HTML tags. In order to do that you must:
- Add an id, such as "gtm_script" to the nonce-aware version of the GTM script tag - this will be used to target the element and capture nonce
- Add a data attribute that will store the nonce value e.g. data-nonce="[your nonce value here]"
- In GTM, create a new variable to capture the nonce. Use DOM Element type, and select the ID of the GTM snippet (gtm_script in this guide), then get the nonce value from the data attribute
- In GTM, add the nonce value to any Custom HTML scripts
- In GTM, enable Support document.write using the checkbox
For a more thorough guide, including screen shots of GTM, please see this article https://rbultitudezone.medium./tag-manager-services-and-website-security-using-gtm-with-csp-5749a610c600
I don't think there would be a way straight out of the box. What you can do is to use GTM API (https://developers.google./tag-manager/api/v1/reference/accounts/containers/tags/list) where you can basically iterate over all Custom HTML and Custom Image tags and collect hostnames