Contrib.social

Recommended way to add all Google supported domains for GA audience image

Open on Drupal.org →
Created on 20 November 2023, over 1 year ago
Updated 31 August 2024, 7 months ago

Problem/Motivation

When using GA/GTM, seems there's some image served from google.com OR any of the country domains, not sure where this is coming from. The error reported is as such:

Refused to load https://www.google.com/ads/ga-audience?[REDACTED] because it does not appear in the img-src directive of the Content Security Policy.

Steps to reproduce

There's no way to know what Google domain they're going to serve this image as it seems resolution is client side.

Proposed resolution

Add a recommended way to add all Google supported domains to the img-src CSP policy: https://www.google.com/supported_domains

Adding google.* as wildcard is not supported as it shouldn't

💬 Support request
Status

Fixed

Version

1.0

Component

Code

Created by

🇪🇸Spain pcambra Asturies

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @pcambra
  • Comment over 1 year ago
    🇨🇦Canada gapple

    Yup, a trailing wildcard would allow google.evil-domain.com 😬.

    Unfortunate that this has been a noted issue for a while, and Google hasn't moved away from serving from different TLDs.

    https://developers.google.com/tag-platform/security/guides/csp#google_an...
    The GA4 docs note that all the TLDs are required in img-src and connect-src if using Google Signals.

    Easiest method is copying all the domains to the CSP additional sources config, but this is probably something modules like Google Tag should handle in their configuration to easily enable if needed.
    There's already an open issue for Google Tag's CSP support, but it could use some improvement on how it handles Google Analytics required directives (e.g. only adding them if needed - and this issue of adding CC TLDs if needed) Support Content Security Policy nonce Active

  • Comment over 1 year ago
    🇪🇸Spain pcambra Asturies

    Thanks @gapple, I use a custom GTM integration, is CspEvents::POLICY_ALTER the best place if I wanted for example to curl the google domains list and add it programmatically?

    Is this something that could be a valuable contribution to CSP? like a checkbox under img-src saying "include google annoying stuff"

  • Comment over 1 year ago
    🇨🇦Canada gapple

    Yeah, CspEvents::POLICY_ALTER would be best for altering the policy. I would personally opt for fetching the list and storing it to state during cron or something, so that a response doesn't get held up intermittently if the list of domains isn't available from cache.

    (The other option currently available would be implementing a config override for csp.settings:[report-only|enforce].directives.[img-src|connect-src].sources. 🌱 Better CSP support for themes Active has some potential future options that also would work for non-themes too, like altering library definitions.)

    ----
    I think this would be too specific for including directly in the module, but probably helpful as a code example on a documentation page for anyone else with a custom GA / GTM integration.

  • Comment over 1 year ago
    🇪🇸Spain pcambra Asturies

    Thanks @gapple, will post it here first and we can decide if it's enough or we add a doc page.

  • Status changed to Fixed 8 months ago
  • Comment 8 months ago
    🇨🇦Canada gapple
  • Comment 7 months ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024