Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Analytics URLs #648

Open
cristiandelgadod opened this issue Feb 29, 2024 · 1 comment
Open

Google Analytics URLs #648

cristiandelgadod opened this issue Feb 29, 2024 · 1 comment

Comments

@cristiandelgadod
Copy link

cristiandelgadod commented Feb 29, 2024
edited
Loading

Currently, we have set up the CSP header like this:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' 'self' https://*.sitecorecloud.io https://*.moosend.com https://*.bootstrapcdn.com https://*.google.com https://*.gstatic.com https://development.vercel.app https://qa.vercel.app https://qa-wip.vercel.app https://demo.vercel.app https://demo-wip.vercel.app https://stage.vercel.app https://stage-wip.vercel.app https://prod.vercel.app https://prod-wip.vercel.app https://*.domain.com https://*.m-operations.com https://*.pusher.com wss://*.pusher.com https://vercel.live https://domain.vercel.app https://cdn.cookielaw.org https://*.onetrust.com https://*.googletagmanager.com https://*.google-analytics.com https://*.googleadservices.com https://cdn.stat-track.com/statics/moosend-tracking.min.js https://polyfill.io/v3/polyfill.min.js https://*.stat-track.com https://forms.m-pages.com https://*.doubleclick.net https://cdn.cookielaw.org https://sitecorecontenthub.cloud https://fonts.googleapis.com https://*.fontawesome.com; object-src 'none'; frame-ancestors 'none'; block-all-mixed-content; upgrade-insecure-requests;

But we got this error from our users in Vietnam:

Refused to load the image 'https://www.google.com.vn/ads/ga-audiences?v=1&t=sr&slf_rd=1&_r=4&tid=G-VM&cid=31849107785&gtm=45je42q1v50045za200&aip=1&dma=0&gcd=13l3l3l3l1&npa=0&z=1324115001' because it violates the following Content Security Policy directive:

Given this, we would have to set up all the google.com domains for every country in the world so that GA4 tracking does not fail.

Is there an alternative to set up CSP so it allows the domains with a wildcard, like google.com.*/ads/....
@gapple
Copy link
Contributor

gapple commented Mar 19, 2024
edited
Loading

tl;dr - no, it's not possible to use a wildcard for TLD

Previous discussion: [#256]

From Google's documentation, you can find where they publish their full list of domains:
https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
From what I understand, normal visitor tracking does not require additional TLDs, only certain additional features use ccTLDs.

With Tag Manager, it can replicate a nonce value to additional scripts so that the full list of ccTLDs is not required, but that is not compatible with 'unsafe-inline' or 'unsafe-eval' which are included in your policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gapple @cristiandelgadod