Skip to content

Commit

Permalink
Merge pull request #11 from silverstripeltd/feature/gtm-missing-direc…
Browse files Browse the repository at this point in the history
…tive-updates

Google Services fragment updates
  • Loading branch information
jareddreyerss authored Nov 10, 2021
2 parents d705f32 + 88902ee commit 64c6e2f
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 4 deletions.
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,16 @@ public function configure(): void
}
```

## Google Tag Manager / Adservices whitelist
Google uses localised regional domains for visitors for image tracker loading, which can pile up report violations with `google.com|.co.nz|.com.au` etc in your reporting tool.
To resolve this and rather than specifying all of Google's listed support domains (see https://www.google.com/supported_domains)
A white list config can be set to the GTM fragment to whitelist all `https:` URLs on the `img-src` directive, for example:
```yaml
Silverstripe\CSP\Fragments\GoogleTagManager:
whitelist_google_regional_domains: true
```
> See also ImagesOverHTTPs::class for more basic cover of https images.
## SRI
We also support SRI in this module, you can enable this via yaml:
```yaml
Expand Down
29 changes: 29 additions & 0 deletions src/Fragments/GoogleMaps.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?php

namespace App\ContentSecurity\Fragments;

use Silverstripe\CSP\Directive;
use Silverstripe\CSP\Fragments\Fragment;
use Silverstripe\CSP\Policies\Policy;

/*
* Allows execution of Google Maps API related resources
* Nonce on the https://maps.google.com/maps/api/js URL is required before using this fragment.
*
* https://content-security-policy.com/examples/google-maps/
*/
class GoogleMaps implements Fragment
{
public static function addTo(Policy $policy): void
{
$policy
->addDirective(Directive::CONNECT, 'https://maps.googleapis.com')
->addDirective(Directive::IMG,
[
'https://maps.gstatic.com',
'https://*.googleapis.com',
'https://*.ggpht.com'
]
);
}
}
32 changes: 28 additions & 4 deletions src/Fragments/GoogleTagManager.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

namespace Silverstripe\CSP\Fragments;

use SilverStripe\Core\Config\Configurable;
use Silverstripe\CSP\Directive;
use Silverstripe\CSP\Keyword;
use Silverstripe\CSP\Policies\Policy;
Expand All @@ -12,6 +13,10 @@
*/
class GoogleTagManager implements Fragment
{
use Configurable;

private static bool $whitelist_google_regional_domains = false;

public static function addTo(Policy $policy): void
{
self::undocumented($policy);
Expand All @@ -25,14 +30,33 @@ public static function addTo(Policy $policy): void
}

/*
* These were ones not in the docs and had issues popping up
* CSP reported directive URIs that were not covered in the google docs
* and were continually over reporting CSP URI infringements.
*
* https://developers.google.com/web/fundamentals/security/csp#implementation_details
*/
public static function undocumented(Policy $policy): void
{
$policy
->addDirective(Directive::FRAME, '*.doubleclick.net')
->addDirective(Directive::CONNECT, '*.doubleclick.net')
->addDirective(Directive::IMG, '*.doubleclick.net');
->addDirective(Directive::FRAME,
[
'https://*.doubleclick.net',
'https://stats.g.doubleclick.net',
'http://bid.g.doubleclick.net',
]
)
->addDirective(Directive::CONNECT, [
'https://adservice.google.com',
'https://www.google.com',
'https://*.doubleclick.net',
]);

// Google uses localised regional endpoint domains for their services
// if seeing regional google domain report violations
// setting this config will whitelist all img-src to allow 'https:'.
if (self::config()->get('whitelist_google_regional_domains') === true) {
$policy->addDirective(Directive::IMG, Scheme::HTTPS);
}
}

/*
Expand Down

0 comments on commit 64c6e2f

Please sign in to comment.