Open masatokinugawa opened 1 year ago
Currently the evaluator believes that a bypass via www.googletagmanager.com requires unsafe-eval. However, this endpoint hosts AngularJS: https://www.googletagmanager.com/debug/badge Also, this endpoint returns JSONP: https://www.googletagmanager.com/debug/api/vtinfo?gtm_auth=xFSd[...]&env_id=env-3&public_id=GTM-[GTMID_HERE]&templates=&callback=element.click Therefore, actually unsafe-eval is not needed. Since Google Tag Manager is a very popular tool, I think it would be better if this bypass was detected.
unsafe-eval
Currently the evaluator believes that a bypass via www.googletagmanager.com requires
unsafe-eval. However, this endpoint hosts AngularJS: https://www.googletagmanager.com/debug/badge Also, this endpoint returns JSONP: https://www.googletagmanager.com/debug/api/vtinfo?gtm_auth=xFSd[...]&env_id=env-3&public_id=GTM-[GTMID_HERE]&templates=&callback=element.click Therefore, actuallyunsafe-evalis not needed. Since Google Tag Manager is a very popular tool, I think it would be better if this bypass was detected.