Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to add nonce for CSP? gtm4wp_get_the_gtm_tag filter is deprecated. #351

Open
gettonet opened this issue Jun 3, 2024 · 13 comments
Open

How to add nonce for CSP? gtm4wp_get_the_gtm_tag filter is deprecated. #351

gettonet opened this issue Jun 3, 2024 · 13 comments

Comments

@gettonet
Copy link

gettonet commented Jun 3, 2024

Hello,

given the fact gtm4wp_get_the_gtm_tag filter is deprecated, we cannot add nonce to gtm4wp scripts and include in website Content Security Policy.
Why is this filter deprecated, do you plan to get it back in future releases, or do you recommend some other way of adding the gtm4wp scripts to CSP, apart from creating a hash for every single (dynamic) script?
@duracelltomi
Copy link
Owner

This filter was removed because it introduced some security risks.

If you want to alter the container code in any way, you should turn off the container code in plugin options and add your own container code using the GTM4WP_WPACTION_AFTER_CONTAINER_CODE / gtm4wp_after_container_code filter which fires regardless of whether container code is turned on or off in plugin settings.

Just make sure to output the full header script.

@gettonet
Copy link
Author

gettonet commented Jun 4, 2024

Datalayer script is making it impossible to add to CSP as hash, as it is dynamically created and it's different on every page:


<script data-cfasync="false" data-pagespeed-no-defer' . ( $has_html5_support ? ' type="text/javascript"' : '' ) . ( $add_cookiebot_ignore ? ' data-cookieconsent="ignore"' : '' ) . '>';

	if ( '' !== $gtm4wp_options[ GTM4WP_OPTION_GTM_CODE ] ) {
		$gtm4wp_datalayer_data = array();
		$gtm4wp_datalayer_data = (array) apply_filters( GTM4WP_WPFILTER_COMPILE_DATALAYER, $gtm4wp_datalayer_data );

		echo '
	var dataLayer_content = ' . wp_json_encode( $gtm4wp_datalayer_data, JSON_UNESCAPED_UNICODE | JSON_NUMERIC_CHECK ) . ';';

		echo '
	' . esc_js( $gtm4wp_datalayer_name ) . '.push( dataLayer_content );';
	}

	echo '
</script>';

It is not the container itself, as it can be added to CSP as hash.
But what to do with datalayer script?
Wouldn't it be worth considering adding a filter for nonce?

@duracelltomi
Copy link
Owner

I can of course.

What about adding a filter like gtm4wp_get_csp_nonce and what is returned is added to the <script> tag?

@gettonet
Copy link
Author

gettonet commented Jun 6, 2024

That would be great!

@gettonet
Copy link
Author

gettonet commented Jun 6, 2024

I tried to help, so created a pull request here: #352

@duracelltomi
Copy link
Owner

Please review this branch: 7faf339

@gettonet
Copy link
Author

gettonet commented Jun 7, 2024

Looking good @duracelltomi ! Thank you for your effort, this is indeed an improvement and a huge help to anyone who's using your plugin and dealing with CSP setup.

@gettonet
Copy link
Author

@duracelltomi what's the status, would you like to release this update soon?

@duracelltomi
Copy link
Owner

I'm just finishing my vacation time, will do the release next week

@gettonet
Copy link
Author

@duracelltomi just wanted to follow up, will the release be public soon?

@duracelltomi
Copy link
Owner

If nothing extreme happens, tomorrow.

@gettonet
Copy link
Author

gettonet commented Jul 8, 2024

Something extreme must have happened! :) @duracelltomi

@duracelltomi
Copy link
Owner

Indeed, however 1.21 beta1 is now out, you can test it:
https://github.com/duracelltomi/gtm4wp/releases/tag/1.21.beta1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@duracelltomi @gettonet