Merge pull request #1376 from cisagov/nl/google-analytics-fix

Issue #1338: Google Analytics CSP Bug
2025-08-05 01:11:55 +02:00 · 2023-11-21 14:10:57 -07:00 · 2023-11-21 14:10:57 -07:00 · 2d49674f87
commit 2d49674f87
parent 310da70913 38fb3c5eaf
2 changed files with 9 additions and 2 deletions
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@ -299,11 +299,18 @@ SERVER_EMAIL = "root@get.gov"
 # this can be restrictive because we have few external scripts
 allowed_sources = ("'self'",)
 CSP_DEFAULT_SRC = allowed_sources
-# Most things fall back to default-src, but these two do not and should be
+# Most things fall back to default-src, but the following do not and should be
 # explicitly set
 CSP_FRAME_ANCESTORS = allowed_sources
 CSP_FORM_ACTION = allowed_sources

+# Google analytics requires that we relax our otherwise
+# strict CSP by allowing scripts to run from their domain
+# and inline with a nonce, as well as allowing connections back to their domain
+CSP_SCRIPT_SRC_ELEM = ["'self'", "https://www.googletagmanager.com/"]
+CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/"]
+CSP_INCLUDE_NONCE_IN = ["script-src-elem"]
+
 # Cross-Origin Resource Sharing (CORS) configuration
 # Sets clients that allow access control to manage.get.gov
 # TODO: remove :8080 to see if we can have all localhost access
--- a/src/registrar/templates/base.html
+++ b/src/registrar/templates/base.html
@ -6,7 +6,7 @@
  {% if IS_PRODUCTION %}
  <!-- Google tag (gtag.js) -->
  <script async src="https://www.googletagmanager.com/gtag/js?id=G-PZ5QSP6QPL"></script>
-  <script>
+  <script type="text/javascript" nonce="{{request.csp_nonce}}">
    window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-PZ5QSP6QPL');
  </script>
  {% endif %}