Updates CSP for Google Analytics 4
What does this MR do and why?
This change updates the Content Security Policy for Google Analytics according to the "Use Tag Manager with a Content Security Policy" guide.
Effectively adds a new pattern: *.g.doubleclick.net
to prevent CSP
errors from appearing when connecting to Google Analytics.
See: https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
Changelog: changed
Screenshots or screen recordings
Note: Check the addition of *.g.doubleclick.net
in the headers.
Before | After |
---|---|
Before:
base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 https://sentry.example.com https://cdn.cookielaw.org https://*.onetrust.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https: *.google-analytics.com *.googletagmanager.com; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://*.onetrust.com https://cdn.bizible.com/scripts/bizible.js *.googletagmanager.com 'nonce-kyMdEcJkqE4g4QIONpNN2g=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
After:
base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 https://sentry.example.com https://cdn.cookielaw.org https://*.onetrust.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.g.doubleclick.net; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ https://*.zuora.com/apps/PublicHostedPageLite.do http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https: *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.g.doubleclick.net; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://*.onetrust.com https://cdn.bizible.com/scripts/bizible.js *.googletagmanager.com 'nonce-Xz+HXkzs7hdpB6uEW9lM6Q=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
How to set up and validate locally
- Start your GDK
- Open the log in page at http://gdk.test:3000/users/sign_in (sign out or use an incognito window)
- Open the console and inspect CSP header of the first request
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #424144 (closed)