Replace gtm script with nonce compatible version

Merged Nicolas Dular requested to merge nicolasdular/change-gtm-to-nonce-compatible-script into master

What does this MR do?

After trying to set the GTM ID in our staging environment to test, we figured out that our content security policy doesn't allow requests to googletagmanager.com

This MR is using the nonce version of the GTM script (which I got from: https://developers.google.com/tag-manager/web/csp), to overcome the problem of not allowing certain hosts in our content security policy.

However, testing this locally, I couldn't get it to work and we still forbid connections.

How to debug locally

  1. Checkout this branch - everything is prepared by hardcoding a nonce value and setting the content security policy in SessionsController to quickly try out changes.
  2. Go to the sign in page

Screenshots (strongly suggested)

Even using the nonce compatible version, we are getting errors:

How to review changes locally?

  1. Go to Google Tag Manager and create new container. Grab your ID there.
  2. Edit your config/gitlab.yml and add under extra: values for google_tag_manager_nonce_id and google_tag_manager_id that should be your GTM id from previous step.
  3. Restart GDK
  4. Enable the feature flag with Feature.enable(:gtm_nonce) via Rails console.
  5. Sign out from your local GDK instance.
  6. Open the Tag Assistant and follow instructions there on enabling debuggin support on your localhost.
  7. The Sign In page should be opened automatically via Tag Assistant and you should see the Tag Assistant box in your bottom right corner.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Phil Calder