Replace gtm script with nonce compatible version

Review changes
Download
Patches
Plain diff

Nicolas Dular requested to merge nicolasdular/change-gtm-to-nonce-compatible-script into master Apr 02, 2021

Overview 89
Commits 8
Pipelines 17
Changes 6

What does this MR do?

Initial issue: #223768 (closed)
Initial MR: !38395 (merged)
Infra Issue: https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/11925
Feature flag rollout #346322 (closed)

After trying to set the GTM ID in our staging environment to test, we figured out that our content security policy doesn't allow requests to googletagmanager.com

This MR is using the nonce version of the GTM script (which I got from: https://developers.google.com/tag-manager/web/csp), to overcome the problem of not allowing certain hosts in our content security policy.

However, testing this locally, I couldn't get it to work and we still forbid connections.

How to debug locally

Checkout this branch - everything is prepared by hardcoding a nonce value and setting the content security policy in SessionsController to quickly try out changes.
Go to the sign in page

Screenshots (strongly suggested)

Even using the nonce compatible version, we are getting errors:

How to review changes locally?

Go to Google Tag Manager and create new container. Grab your ID there.
Edit your config/gitlab.yml and add under extra: values for google_tag_manager_nonce_id and google_tag_manager_id that should be your GTM id from previous step.
Restart GDK
Enable the feature flag with Feature.enable(:gtm_nonce) via Rails console.
Sign out from your local GDK instance.
Open the Tag Assistant and follow instructions there on enabling debuggin support on your localhost.
The Sign In page should be opened automatically via Tag Assistant and you should see the Tag Assistant box in your bottom right corner.

Does this MR meet the acceptance criteria?

Conformity

📋 Does this MR need a changelog?
- I have included a changelog entry.
- I have not included a changelog entry because _____.
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Nov 23, 2021 by Phil Calder

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking