Skip to content

Updates CSP for Google Analytics 4

Miguel Rincon requested to merge 424144-sign-in-page-yields-csp-errors into master

What does this MR do and why?

This change updates the Content Security Policy for Google Analytics according to the "Use Tag Manager with a Content Security Policy" guide.

Effectively adds a new pattern: *.g.doubleclick.net to prevent CSP errors from appearing when connecting to Google Analytics.

See: https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics

Changelog: changed

Screenshots or screen recordings

Note: Check the addition of *.g.doubleclick.net in the headers.

Before After
image after
Before:

base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 https://sentry.example.com https://cdn.cookielaw.org https://*.onetrust.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https: *.google-analytics.com *.googletagmanager.com; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://*.onetrust.com https://cdn.bizible.com/scripts/bizible.js *.googletagmanager.com 'nonce-kyMdEcJkqE4g4QIONpNN2g=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:

After:

base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 https://sentry.example.com https://cdn.cookielaw.org https://*.onetrust.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.g.doubleclick.net; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https: *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.g.doubleclick.net; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://*.onetrust.com https://cdn.bizible.com/scripts/bizible.js *.googletagmanager.com 'nonce-Xz+HXkzs7hdpB6uEW9lM6Q=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:

How to set up and validate locally

  1. Start your GDK
  2. Open the log in page at http://gdk.test:3000/users/sign_in (sign out or use an incognito window)
  3. Open the console and inspect CSP header of the first request

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #424144 (closed)

Edited by Miguel Rincon

Merge request reports