diff --git a/README.md b/README.md index 9c76ca6..6163e5d 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,16 @@ public function configure(): void } ``` +## Google Tag Manager / Adservices whitelist +Google uses localised regional domains for visitors for image tracker loading, which can pile up report violations with `google.com|.co.nz|.com.au` etc in your reporting tool. +To resolve this and rather than specifying all of Google's listed support domains (see https://www.google.com/supported_domains) +A white list config can be set to the GTM fragment to whitelist all `https:` URLs on the `img-src` directive, for example: +```yaml +Silverstripe\CSP\Fragments\GoogleTagManager: + whitelist_google_regional_domains: true +``` +> See also ImagesOverHTTPs::class for more basic cover of https images. + ## SRI We also support SRI in this module, you can enable this via yaml: ```yaml diff --git a/src/Fragments/GoogleMaps.php b/src/Fragments/GoogleMaps.php new file mode 100644 index 0000000..e671117 --- /dev/null +++ b/src/Fragments/GoogleMaps.php @@ -0,0 +1,29 @@ +addDirective(Directive::CONNECT, 'https://maps.googleapis.com') + ->addDirective(Directive::IMG, + [ + 'https://maps.gstatic.com', + 'https://*.googleapis.com', + 'https://*.ggpht.com' + ] + ); + } +} diff --git a/src/Fragments/GoogleTagManager.php b/src/Fragments/GoogleTagManager.php index c7b574a..7eae9f9 100644 --- a/src/Fragments/GoogleTagManager.php +++ b/src/Fragments/GoogleTagManager.php @@ -2,6 +2,7 @@ namespace Silverstripe\CSP\Fragments; +use SilverStripe\Core\Config\Configurable; use Silverstripe\CSP\Directive; use Silverstripe\CSP\Keyword; use Silverstripe\CSP\Policies\Policy; @@ -12,6 +13,10 @@ */ class GoogleTagManager implements Fragment { + use Configurable; + + private static bool $whitelist_google_regional_domains = false; + public static function addTo(Policy $policy): void { self::undocumented($policy); @@ -25,14 +30,33 @@ public static function addTo(Policy $policy): void } /* - * These were ones not in the docs and had issues popping up + * CSP reported directive URIs that were not covered in the google docs + * and were continually over reporting CSP URI infringements. + * + * https://developers.google.com/web/fundamentals/security/csp#implementation_details */ public static function undocumented(Policy $policy): void { $policy - ->addDirective(Directive::FRAME, '*.doubleclick.net') - ->addDirective(Directive::CONNECT, '*.doubleclick.net') - ->addDirective(Directive::IMG, '*.doubleclick.net'); + ->addDirective(Directive::FRAME, + [ + 'https://*.doubleclick.net', + 'https://stats.g.doubleclick.net', + 'http://bid.g.doubleclick.net', + ] + ) + ->addDirective(Directive::CONNECT, [ + 'https://adservice.google.com', + 'https://www.google.com', + 'https://*.doubleclick.net', + ]); + + // Google uses localised regional endpoint domains for their services + // if seeing regional google domain report violations + // setting this config will whitelist all img-src to allow 'https:'. + if (self::config()->get('whitelist_google_regional_domains') === true) { + $policy->addDirective(Directive::IMG, Scheme::HTTPS); + } } /*