Contrib.social

Recommended way to add all Google supported domains for GA audience image

Open on Drupal.org β†’
Created on 20 November 2023, 6 months ago
Updated 28 November 2023, 6 months ago

Problem/Motivation

When using GA/GTM, seems there's some image served from google.com OR any of the country domains, not sure where this is coming from. The error reported is as such:

Refused to load https://www.google.com/ads/ga-audience?[REDACTED] because it does not appear in the img-src directive of the Content Security Policy.

Steps to reproduce

There's no way to know what Google domain they're going to serve this image as it seems resolution is client side.

Proposed resolution

Add a recommended way to add all Google supported domains to the img-src CSP policy: https://www.google.com/supported_domains

Adding google.* as wildcard is not supported as it shouldn't

πŸ’¬ Support request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ͺπŸ‡ΈSpain pcambra Spain, πŸ‡ͺπŸ‡Ί

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @pcambra
  • Comment 6 months ago β†’
    πŸ‡¨πŸ‡¦Canada gapple

    Yup, a trailing wildcard would allow google.evil-domain.com 😬.

    Unfortunate that this has been a noted issue for a while, and Google hasn't moved away from serving from different TLDs.

    https://developers.google.com/tag-platform/security/guides/csp#google_an...
    The GA4 docs note that all the TLDs are required in img-src and connect-src if using Google Signals.

    Easiest method is copying all the domains to the CSP additional sources config, but this is probably something modules like Google Tag should handle in their configuration to easily enable if needed.
    There's already an open issue for Google Tag's CSP support, but it could use some improvement on how it handles Google Analytics required directives (e.g. only adding them if needed - and this issue of adding CC TLDs if needed) ✨ Support Content Security Policy Needs review

  • Comment 6 months ago β†’
    πŸ‡ͺπŸ‡ΈSpain pcambra Spain, πŸ‡ͺπŸ‡Ί

    Thanks @gapple, I use a custom GTM integration, is CspEvents::POLICY_ALTER the best place if I wanted for example to curl the google domains list and add it programmatically?

    Is this something that could be a valuable contribution to CSP? like a checkbox under img-src saying "include google annoying stuff"

  • Comment 6 months ago β†’
    πŸ‡¨πŸ‡¦Canada gapple

    Yeah, CspEvents::POLICY_ALTER would be best for altering the policy. I would personally opt for fetching the list and storing it to state during cron or something, so that a response doesn't get held up intermittently if the list of domains isn't available from cache.

    (The other option currently available would be implementing a config override β†’ for csp.settings:[report-only|enforce].directives.[img-src|connect-src].sources. 🌱 Better CSP support for themes Active has some potential future options that also would work for non-themes too, like altering library definitions.)

    ----
    I think this would be too specific for including directly in the module, but probably helpful as a code example on a documentation page for anyone else with a custom GA / GTM integration.

  • Comment 6 months ago β†’
    πŸ‡ͺπŸ‡ΈSpain pcambra Spain, πŸ‡ͺπŸ‡Ί

    Thanks @gapple, will post it here first and we can decide if it's enough or we add a doc page.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024