Needs eval for Google Analytics

[april]

Is this true? I'm pretty sure that I've seen a lot of sites with GA + CSP, but without eval(). I don't think that's the case for GTM, but I'm pretty sure it is for GA.

[lweichselbaum]

'NEEDS_EVAL' contains all bypasses that also need 'unsafe-eval' in the policy to work. So you're right GA works without eval, but some features (iirc tagmanager) used for the bypass do require eval to work. So this means that the policy can only be bypassed (with the bypasses we found) if it whitelists GA and has 'unsafe-eval'.

[april]

Is GTM a part of GA natively? You don't need to specifically include it (and unsafe-eval) to bypass the policy, only GA (and unsafe-eval)?

[lweichselbaum]

No, GTM is not part of the native GA. We only flag a CSP as bypassable if GTM is whitelisted (either domain or full path) AND 'unsafe-eval' is on. https://csp-evaluator.withgoogle.com?csp=script-src https://www.google-analytics.com/ga.js;object-src 'none'

Currently NEEDS_EVAL is only used to mark all the domains serving GTM as not exploitable if there's no 'unsafe-eval.

I know this is a bit confusing, sorry for that...