FEATURE: Implement nonces for Google Tag Manager integration (#12531)

2025-02-02 01:49:45 +08:00 · 2021-03-26 11:19:31 -04:00 · 2021-03-26 11:19:31 -04:00 · 5096920500
commit 5096920500
parent d858c7680a
7 changed files with 29 additions and 8 deletions
--- a/app/assets/javascripts/google-tag-manager.js
+++ b/app/assets/javascripts/google-tag-manager.js
@ -2,6 +2,7 @@
 (function () {
  const gtmDataElement = document.getElementById("data-google-tag-manager");
  const dataLayerJson = JSON.parse(gtmDataElement.dataset.dataLayer);
  const gtmNonce = gtmDataElement.dataset.nonce;
  // dataLayer declaration needs to precede the container snippet
  // https://developers.google.com/tag-manager/devguide#adding-data-layer-variables-to-a-page
@ -12,7 +13,9 @@
  (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
  new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
  j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
-  'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+  'https://www.googletagmanager.com/gtm.js?id='+i+dl;
  j.setAttribute("nonce", gtmNonce);
  f.parentNode.insertBefore(j,f);
  })(window,document,'script','dataLayer',gtmDataElement.dataset.containerId);
  /* eslint-enable */
 })();
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -35,6 +35,10 @@ module ApplicationHelper
    google_universal_analytics_json
  end
  def self.google_tag_manager_nonce
    @gtm_nonce ||= SecureRandom.hex
  end
  def shared_session_key
    if SiteSetting.long_polling_base_url != '/' && current_user
      sk = "shared_session_key"
--- a/app/helpers/common_helper.rb
+++ b/app/helpers/common_helper.rb
@ -8,14 +8,10 @@ module CommonHelper
  end
  def render_google_tag_manager_head_code
-    if Rails.env.production? && SiteSetting.gtm_container_id.present?
+    render partial: "common/google_tag_manager_head" if SiteSetting.gtm_container_id.present?
      render partial: "common/google_tag_manager_head"
    end
  end
  def render_google_tag_manager_body_code
-    if Rails.env.production? && SiteSetting.gtm_container_id.present?
+    render partial: "common/google_tag_manager_body" if SiteSetting.gtm_container_id.present?
      render partial: "common/google_tag_manager_body"
    end
  end
 end
--- a/app/views/common/_google_tag_manager_head.html.erb
+++ b/app/views/common/_google_tag_manager_head.html.erb
@ -1,5 +1,6 @@
 <meta id="data-google-tag-manager"
  data-data-layer="<%= google_tag_manager_json %>"
  data-nonce="<%= ApplicationHelper.google_tag_manager_nonce %>"
  data-container-id="<%= SiteSetting.gtm_container_id %>" />
 <%= preload_script 'google-tag-manager' %>
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@ -60,7 +60,10 @@ class ContentSecurityPolicy
        # we need analytics.js still as gtag/js is a script wrapper for it
        sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
        sources << 'https://www.googletagmanager.com/gtag/js' if SiteSetting.ga_universal_tracking_code.present? && SiteSetting.ga_version == "v4_gtag"
-        sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
+        if SiteSetting.gtm_container_id.present?
          sources << 'https://www.googletagmanager.com/gtm.js'
          sources << "'nonce-#{ApplicationHelper.google_tag_manager_nonce}'"
        end
      end
    end
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@ -94,6 +94,7 @@ describe ContentSecurityPolicy do
      script_srcs = parse(policy)['script-src']
      expect(script_srcs).to include('https://www.googletagmanager.com/gtm.js')
      expect(script_srcs.to_s).to include('nonce-')
    end
    it 'allowlists CDN assets when integrated' do
--- a/spec/requests/application_controller_spec.rb
+++ b/spec/requests/application_controller_spec.rb
@ -637,6 +637,19 @@ RSpec.describe ApplicationController do
      expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
    end
    it 'when GTM is enabled it adds the same nonce to the policy and the GTM tag' do
      SiteSetting.content_security_policy = true
      SiteSetting.gtm_container_id = 'GTM-ABCDEF'
      get '/latest'
      nonce = ApplicationHelper.google_tag_manager_nonce
      expect(response.headers).to include('Content-Security-Policy')
      script_src = parse(response.headers['Content-Security-Policy'])['script-src']
      expect(script_src.to_s).to include(nonce)
      expect(response.body).to include(nonce)
    end
    def parse(csp_string)
      csp_string.split(';').map do |policy|
        directive, *sources = policy.split