如何使Google跟踪代码管理器和内容安全政策共存？ [英] How to make Google Tag Manager and Content-Security-Policy coexist?

问题描述

内容安全策略（CSP）标题旨在保护您的应用免受恶意资源注入在您的网络应用中。为简单起见，您为所有图像，脚本，样式等提供了允许域名来源的白名单。

The Content-Security-Policy (CSP) header aims to protect your application against malicious resource injection in your web apps. To make it simple, you provide a whitelist of allowed domain origins for all your images, scripts, styles and so on.

同时，营销团队正在使用 Google跟踪代码管理器（GTM）来管理代码。原则是从页面收集信息，将它们发送到GTM并将这些数据用作变量来生成标签，模板化JS / HTML和这些变量的组合。

Meanwhile, Marketing team is using Google Tag Manager (GTM) to manage tags. The principle is to gather information from a page, send them to GTM and use those data as variables to generate tags, a mix of templated JS/HTML and those variables.

问题是这些标签中的大多数都包含javascript，用于向跟踪器，广告服务器或任何合作伙伴发送非常具体的数据。让我们假设我的营销团队意识到安全风险，并且不会包含恶意脚本。

The problem is that most of those tags contain javascript, for sending very specific data to trackers, ad servers or whatever partners. Let's assume my marketing team is aware of security risks and will not include malicious script.

有没有办法知道哪些域是由GTM导入的，所以它们可以自动添加到我的CSP上？

Is there a way to know which domains are imported by GTM so they can be automatically added on my CSP?

推荐答案

我认为没有办法直接开箱即用。
您可以做的是使用GTM API（ https://developers.google.com/tag-manager/api/v1/reference/accounts/containers/tags/list ）您可以基本上遍历所有自定义HTML 和自定义图像标签并收集主机名

I don't think there would be a way straight out of the box. What you can do is to use GTM API (https://developers.google.com/tag-manager/api/v1/reference/accounts/containers/tags/list) where you can basically iterate over all Custom HTML and Custom Image tags and collect hostnames

这篇关于如何使Google跟踪代码管理器和内容安全政策共存？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！