Closed Bug 1305179 Opened 9 years ago Closed 9 years ago

CSP is blocking Google Tag Manager debugger

Categories

(www.mozilla.org :: Analytics, defect)

Product:
www.mozilla.org
Component:
Analytics
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: luka.cempre, Assigned: agibson)

Details

Attachments

(3 files)

Network Request Log - Screenshot
31.75 KB, image/png
Details
Network Request for GTM debugger - Screenshot
19.54 KB, image/png
Details
GitHub pull request
44 bytes, text/x-github-pull-request
Details | Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
While working on a GTM task, I've noticed that google.com is one of the domains blocked by the CSP. That makes it impossible for us to use GTM debug on the website. Would it be possible to whitelist google.com.
Flags: needinfo?(agibson)
Attachment #8794433 - Attachment description: Network Request Log → Network Request Log - Screenshot
Assignee: nobody → agibson
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(agibson)
Attached file GitHub pull request
(In reply to Luka Cempre (formerly owned by James Lorence) from comment #1) > While working on a GTM task, I've noticed that google.com is one of the > domains blocked by the CSP. > That makes it impossible for us to use GTM debug on the website. > > Would it be possible to whitelist google.com. I've created a pull request above to add tagmanager.google.com to the CSP script src list. Thanks
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/b8121b4e3e7fd3d4e5bed3c32a8336c054936776 [fix bug 1305179] Add tagmanager.google.com to CSP script src https://github.com/mozilla/bedrock/commit/d2a9a155887f59aa3a4243f2ec1345b29560f71b Merge pull request #4366 from alexgibson/bug-1305179-csp-gtm-debugger [fix bug 1305179] Add tagmanager.google.com to CSP script src
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Hi Alex, thank you for quick turnaround on this. The main debugger script is now loading correctly, however other resources that debugger depends on are still being blocked (they have only started showing up after the initial fix). Blocked resources needed for debugger to function correctly: https://tagmanager.google.com/debug/css.css https://fonts.googleapis.com/icon?family=Material+Icons https://ssl.gstatic.com/analytics/header/legacy/v1/ic_tag_manager.svg https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_up_white_48dp.png
Status: RESOLVED → REOPENED
Flags: needinfo?(agibson)
Resolution: FIXED → ---
(In reply to Luka Cempre (formerly owned by James Lorence) from comment #7) > Hi Alex, > > thank you for quick turnaround on this. > > The main debugger script is now loading correctly, however other resources > that debugger depends on are still being blocked (they have only started > showing up after the initial fix). > > Blocked resources needed for debugger to function correctly: > https://tagmanager.google.com/debug/css.css > https://fonts.googleapis.com/icon?family=Material+Icons > https://ssl.gstatic.com/analytics/header/legacy/v1/ic_tag_manager.svg > https://www.gstatic.com/images/icons/material/system/1x/ > keyboard_arrow_up_white_48dp.png I don't think we should add exceptions for all these google domains as it kinda defeats the purpose of having the CSP policy in place. Speaking to :pmac on IRC he thinks a better approach would be to make these settings configurable so we can add and remove exceptions as and when needed and test against staging. CC'ing :pmac here.
Flags: needinfo?(agibson)
I'm uncomfortable adding these rules to our production CSP for assets that aren't part of the functioning of the site. If you need to debug I suggest either disabling CSP in your browser temporarily (e.g. in Firefox you can set `security.csp.enable` to false via about:config), or following some advice from the Stack Overflow article I linked below and converting your bookmarklet (I assume it's a bookmarklet) to a GreaseMonkey script. I would be okay with enabling these things on stage, and I'd bet that all situations that are having problems in prod are also in stage. Hopefully one of these things will work for you. Let us know. http://superuser.com/q/586063
Hi Paul, Thank you for the advice. I can disable CSP for the purpose of debugging. I'm able to see the GTM debugger. I'll inform our team about the procedure to follow when GTM debugger on mozilla.org
Great. Thanks for your understanding on this.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: