w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
209 stars 78 forks source link

Google Analytics URLs #648

Open cristiandelgadod opened 8 months ago

cristiandelgadod commented 8 months ago

Currently, we have set up the CSP header like this: Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' 'self' https://*.sitecorecloud.io https://*.moosend.com https://*.bootstrapcdn.com https://*.google.com https://*.gstatic.com https://development.vercel.app https://qa.vercel.app https://qa-wip.vercel.app https://demo.vercel.app https://demo-wip.vercel.app https://stage.vercel.app https://stage-wip.vercel.app https://prod.vercel.app https://prod-wip.vercel.app https://*.domain.com https://*.m-operations.com https://*.pusher.com wss://*.pusher.com https://vercel.live https://domain.vercel.app https://cdn.cookielaw.org https://*.onetrust.com https://*.googletagmanager.com https://*.google-analytics.com https://*.googleadservices.com https://cdn.stat-track.com/statics/moosend-tracking.min.js https://polyfill.io/v3/polyfill.min.js https://*.stat-track.com https://forms.m-pages.com https://*.doubleclick.net https://cdn.cookielaw.org https://sitecorecontenthub.cloud https://fonts.googleapis.com https://*.fontawesome.com; object-src 'none'; frame-ancestors 'none'; block-all-mixed-content; upgrade-insecure-requests;

But we got this error from our users in Vietnam:

Refused to load the image 'https://www.google.com.vn/ads/ga-audiences?v=1&t=sr&slf_rd=1&_r=4&tid=G-VM&cid=31849107785&gtm=45je42q1v50045za200&aip=1&dma=0&gcd=13l3l3l3l1&npa=0&z=1324115001' because it violates the following Content Security Policy directive:

Given this, we would have to set up all the google.com domains for every country in the world so that GA4 tracking does not fail.

Is there an alternative to set up CSP so it allows the domains with a wildcard, like google.com.*/ads/....

gapple commented 7 months ago

tl;dr - no, it's not possible to use a wildcard for TLD

Previous discussion: [#256]

From Google's documentation, you can find where they publish their full list of domains: https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics From what I understand, normal visitor tracking does not require additional TLDs, only certain additional features use ccTLDs.

With Tag Manager, it can replicate a nonce value to additional scripts so that the full list of ccTLDs is not required, but that is not compatible with 'unsafe-inline' or 'unsafe-eval' which are included in your policy.