Closed Bug 1260746 Opened 8 years ago Closed 8 years ago

Make GTM CSP Compliant

Categories

(www.mozilla.org :: Analytics, defect)

Product:
www.mozilla.org
Component:
Analytics
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: garethc, Unassigned)

References

Details

(Whiteboard: [q3 sprint 4]) 

I am working with Analytics Pros and pmac to make Google Tag Manager CSP compliant. This work entails updating various variables in GTM in addition to removing any custom JS we were using within GTM. Removing custom JS in some cases will require code updates in bedrock.
Depends on: 1266576
Depends on: 1266553
Gareth, can this bug be marked as fixed? 

I believe all the dependent bugs James filed have been completed.
Flags: needinfo?(garethcull.bugs)
All the work James has done is complete. The last thing we need is to enable CSP on a demo server and make sure everything looks ok before we turn on CSP in production? 

pmac, is this something you can help set up?
Flags: needinfo?(garethcull.bugs) → needinfo?(pmac)
Yup. I've had a demo up for optimizely+csp before but couldn't get anyone to check it. I know we're still trying to get a meeting setup to go over the state of all of this. Let's do that and figure out where we are and how much is left to do then we can say what remains here.

I will say that the way this bug was written it does seem complete to me and maybe we should (or possibly already have?) file a bug specifically for enabling CSP so that Optimizely and GTM continue to work since enabling it will need to take both into account.
Flags: needinfo?(pmac)
Hey Pmac, can you set up a demo server and James will test to make sure all of our events and pageviews are coming into GA properly. Thanks.
Flags: needinfo?(james.lorence)
Hey Pmac, just wanted to ping you again about getting a demo server up so I could test event and pageview tracking to make sure nothing is breaking with having CSP enabled. Thanks.
Flags: needinfo?(james.lorence) → needinfo?(pmac)
I've got a demo up, but the CSP settings are still just for Optimizely. Does anyone know which CSP rules are needed to make GTM work, or at least which domains GTM uses?
Flags: needinfo?(pmac)
Flags: needinfo?(james.lorence)
I don't know which rules are needed fro GTM, but the GTM container is hosted on www.googletagmanager.com and the container script will also add the analytics.js library which is hosted on www.google-analytics.com.
Flags: needinfo?(james.lorence)
Whiteboard: [q3 sprint 4]
Hi Paul-

Have you had any success finding the rules to make CSP work for GTM?  Do you need any help?

thx,
Jen
Flags: needinfo?(pmac)
Updated the rules on my demo this morning. Should be ready for more testing soon.

https://bedrock-demo-pmac.us-west.moz.works
Flags: needinfo?(pmac)
(In reply to Paul [:pmac] McLanahan from comment #9)
> Should be ready for more testing soon.
> 
> https://bedrock-demo-pmac.us-west.moz.works

Hi Paul,

Is everything setup now on your demo server to test that GTM tracking is working properly with the CSP enabled? 

-James
Flags: needinfo?(pmac)
Yes. Sorry. What I meant by "soon" was "within the hour". Please continue testing.

Or, even better, can you explain here how to verify that GTM is working so that we don't have to wait for anyone on the analytics side? It'd be much quicker if we could iterate on this without having to bother any of you.
Flags: needinfo?(pmac)
After some initial testing I found one more domain that needs to be added for the Google Analytics tracking to work properly: stats.g.doubleclick.net

Besides a few hits not working properly because of the block on stats.g.doubleclick.net though, everything else seems to be working properly. I'd like do to a little further testing once stats.g.doubleclick.net is added before I sign off that everything is oworking properly.

In the future I would think confirming that the resources for the GTM solution are loading properly for those domains I've list that are needed and testing a handful of pages that pageviews and link/download clicks are tracking would be sufficient testing that things are working properly.
I'm actually not comfortable allowing connections to doubleclick.net. That's a well-known tracker and we don't have anything in our privacy policy that would allow doubleclick to collect info about our users. If GTM relies on doubleclick.net then I think we need to find another way to collect analytics data.
So I just did another quick round of testing and I found that there does need to be one more domain added: google.com

The DoubleClick request gets a 302 error to redirect to a google.com domain. I didn't see it on the last pass because the initial DoubleClick request wasn't going out

Everything else looks good. It really should just be this one last domain to add and then everything should be working fine.
I fixed the google thing and a few other new things that were reported by CSP. Give it another go.
Everything looks to be working great. This bug seems resolved to me.
When do we think we can promote this to production?
I'm going to remove the doubleclick bits since it was turned off, then we'll need a quick code review and we can merge. Thanks for the ping.
Commits pushed to master at https://github.com/mozilla/bedrock

https://github.com/mozilla/bedrock/commit/3bedbf1fd59184de15a36d607503ed44293cedfb
Fix bug 1260746: Enable CSP

Tested and working with Optimizely and Google Analytics/Tag Manager.

Also works with:

* Mapbox
* Youtube
* trackertest.org (moz service for tracking detection)
* surveygizmo.com
* firefox accounts

https://github.com/mozilla/bedrock/commit/fad1f3239e8b1ee11c05c1766725c66db2df79b0
Merge pull request #4335 from pmac/csp-o8y-experiment-2

Fix bug 1260746: Add CSP
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.