zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-12 12:39:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1376 from cisagov/nl/google-analytics-fix

Browse source 
Issue #1338: Google Analytics CSP Bug
This commit is contained in:
CuriousX 2023-11-21 14:10:57 -07:00 committed by GitHub
commit 2d49674f87
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/registrar/config/settings.py
View file

@ -299,11 +299,18 @@ SERVER_EMAIL = "root@get.gov"
# this can be restrictive because we have few external scripts # this can be restrictive because we have few external scripts
allowed_sources = ("'self'",) allowed_sources = ("'self'",)
CSP_DEFAULT_SRC = allowed_sources CSP_DEFAULT_SRC = allowed_sources
# Most things fall back to default-src, but these two do not and should be # Most things fall back to default-src, but the following do not and should be
# explicitly set # explicitly set
CSP_FRAME_ANCESTORS = allowed_sources CSP_FRAME_ANCESTORS = allowed_sources
CSP_FORM_ACTION = allowed_sources CSP_FORM_ACTION = allowed_sources
# Google analytics requires that we relax our otherwise
# strict CSP by allowing scripts to run from their domain
# and inline with a nonce, as well as allowing connections back to their domain
CSP_SCRIPT_SRC_ELEM = ["'self'", "https://www.googletagmanager.com/"]
CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/"]
CSP_INCLUDE_NONCE_IN = ["script-src-elem"]
# Cross-Origin Resource Sharing (CORS) configuration # Cross-Origin Resource Sharing (CORS) configuration
# Sets clients that allow access control to manage.get.gov # Sets clients that allow access control to manage.get.gov
# TODO: remove :8080 to see if we can have all localhost access # TODO: remove :8080 to see if we can have all localhost access

2
src/registrar/templates/base.html
View file

@ -6,7 +6,7 @@
{% if IS_PRODUCTION %} {% if IS_PRODUCTION %}
<!-- Google tag (gtag.js) --> <!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-PZ5QSP6QPL"></script> <script async src="https://www.googletagmanager.com/gtag/js?id=G-PZ5QSP6QPL"></script>
<script> <script type="text/javascript" nonce="{{request.csp_nonce}}">
window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-PZ5QSP6QPL'); window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-PZ5QSP6QPL');
</script> </script>
{% endif %} {% endif %}