Replace gtm script with nonce compatible version
What does this MR do?
- Initial issue: #223768 (closed)
- Initial MR: !38395 (merged)
- Infra Issue: https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/11925
- Feature flag rollout #346322 (closed)
After trying to set the GTM ID in our staging environment to test, we figured out that our content security policy doesn't allow requests to googletagmanager.com
This MR is using the nonce
version of the GTM script (which I got from: https://developers.google.com/tag-manager/web/csp), to overcome the problem of not allowing certain hosts in our content security policy.
However, testing this locally, I couldn't get it to work and we still forbid connections.
How to debug locally
- Checkout this branch - everything is prepared by hardcoding a
nonce
value and setting the content security policy in SessionsController to quickly try out changes. - Go to the sign in page
Screenshots (strongly suggested)
Even using the nonce
compatible version, we are getting errors:
How to review changes locally?
- Go to Google Tag Manager and create new container. Grab your ID there.
- Edit your
config/gitlab.yml
and add underextra:
values forgoogle_tag_manager_nonce_id
andgoogle_tag_manager_id
that should be your GTM id from previous step. - Restart GDK
- Enable the feature flag with
Feature.enable(:gtm_nonce)
via Rails console. - Sign out from your local GDK instance.
- Open the Tag Assistant and follow instructions there on enabling debuggin support on your localhost.
- The Sign In page should be opened automatically via Tag Assistant and you should see the Tag Assistant box in your bottom right corner.
Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry. -
I have not included a changelog entry because _____.
-
-
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Phil Calder