What does this MR do?
- Initial issue: #223768 (closed)
- Initial MR: !38395 (merged)
- Infra Issue: https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/11925
- Feature flag rollout #346322 (closed)
After trying to set the GTM ID in our staging environment to test, we figured out that our content security policy doesn't allow requests to
This MR is using the
nonce version of the GTM script (which I got from: https://developers.google.com/tag-manager/web/csp), to overcome the problem of not allowing certain hosts in our content security policy.
However, testing this locally, I couldn't get it to work and we still forbid connections.
How to debug locally
- Checkout this branch - everything is prepared by hardcoding a
noncevalue and setting the content security policy in SessionsController to quickly try out changes.
- Go to the sign in page
Screenshots (strongly suggested)
Even using the
nonce compatible version, we are getting errors:
How to review changes locally?
- Go to Google Tag Manager and create new container. Grab your ID there.
- Edit your
config/gitlab.ymland add under
google_tag_manager_idthat should be your GTM id from previous step.
- Restart GDK
- Enable the feature flag with
Feature.enable(:gtm_nonce)via Rails console.
- Sign out from your local GDK instance.
- Open the Tag Assistant and follow instructions there on enabling debuggin support on your localhost.
- The Sign In page should be opened automatically via Tag Assistant and you should see the Tag Assistant box in your bottom right corner.
Does this MR meet the acceptance criteria?
📋Does this MR need a changelog?
I have included a changelog entry.
I have not included a changelog entry because _____.
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Separation of EE specific content
Availability and Testing
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
Label as security and @ mention
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team