From 0ee3f450660dc1bcfec916f9d063c02d1b6910af Mon Sep 17 00:00:00 2001 From: zawias-pro Date: Mon, 28 Oct 2024 12:36:08 +0100 Subject: [PATCH] PPPSYS-50223 Update CSP definitions, based on the endpoint locations --- tag_manager/content_security_policy.rst | 29 ++++++++++--------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/tag_manager/content_security_policy.rst b/tag_manager/content_security_policy.rst index bbf31888..6c1ef101 100644 --- a/tag_manager/content_security_policy.rst +++ b/tag_manager/content_security_policy.rst @@ -38,12 +38,12 @@ Consequently, default container code requires following modifications to work: (function(window, document, dataLayerName, id) { window[dataLayerName]=window[dataLayerName]||[],window[dataLayerName].push({start:(new Date).getTime(),event:"stg.start"}); var scripts=document.getElementsByTagName('script')[0],tags=document.createElement('script'); - function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d=";expires="+e.toUTCString()}document.cookie=a+"="+b+d+"; path=/"} + function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d="; expires="+e.toUTCString();f="; SameSite=Strict"}document.cookie=a+"="+b+d+f+"; path=/"} var isStgDebug=(window.location.href.match("stg_debug")||document.cookie.match("stg_debug"))&&!window.location.href.match("stg_disable_debug"); stgCreateCookie("stg_debug",isStgDebug?1:"",isStgDebug?14:-1); var qP=[];dataLayerName!=="dataLayer"&&qP.push("data_layer_name="+dataLayerName),tags.nonce="INSERT_VALID_NONCE_VALUE",isStgDebug&&qP.push("stg_debug"); var qPString=qP.length>0?("?"+qP.join("&")):""; - tags.async=!0,tags.src="https://client.containers.piwik.pro/"+id+".js"+qPString, + tags.async=!0,tags.src="https://client.piwik.pro/containers/"+id+".js"+qPString, scripts.parentNode.insertBefore(tags,scripts); !function(a,n,i){a[n]=a[n]||{};for(var c=0;c (function(window, document, dataLayerName, id) { - function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d=";expires="+e.toUTCString()}document.cookie=a+"="+b+d+"; path=/"} + function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d="; expires="+e.toUTCString();f="; SameSite=Strict"}document.cookie=a+"="+b+d+f+"; path=/"} var isStgDebug=(window.location.href.match("stg_debug")||document.cookie.match("stg_debug"))&&!window.location.href.match("stg_disable_debug"); stgCreateCookie("stg_debug",isStgDebug?1:"",isStgDebug?14:-1); var qP=[];dataLayerName!=="dataLayer"&&qP.push("data_layer_name="+dataLayerName),isStgDebug&&qP.push("stg_debug"); var qPString=qP.length>0?("?"+qP.join("&")):""; - document.write(' @@ -108,9 +108,9 @@ To load all necessary assets from Tag Manager debugger you need to define source .. code-block:: javascript - img-src https://client.containers.piwik.pro; - font-src https://client.containers.piwik.pro; - style-src https://client.containers.piwik.pro; + img-src https://client.piwik.pro; + font-src https://client.piwik.pro; + style-src https://client.piwik.pro; Consent Manager form assets @@ -120,13 +120,9 @@ If your website is GDPR compliant then you need to describe ``connect-src``, ``s .. code-block:: javascript - connect-src https://client.piwik.pro https://client.containers.piwik.pro; + connect-src https://client.piwik.pro; style-src 'nonce-INSERT_VALID_NONCE_VALUE'; -.. note:: - Please note that we define here tracking domain **client.piwik.pro** for collecting visitor consents and container domain **client.containers.piwik.pro** for fetching consent form assets. - - Consent Manager's data subject request widget ------------ @@ -168,7 +164,6 @@ Following example configuration of CSP assumes: - client's website address: **client.com** - Consent Manager is enabled for the website - client's organization name in Piwik PRO: **client** -- client's container domain: **client.containers.piwik.pro** - client has Piwik PRO tag with default tracking domain: **client.piwik.pro** - nonce value: **nceIOfn39fn3e9h3sd** - configuration allows ``'self'`` source which is: **client.com** @@ -177,7 +172,7 @@ Following example configuration of CSP assumes: Content-Security-Policy: default-src 'none'; script-src 'self' https://client.piwik.pro/ppms.js 'nonce-nceIOfn39fn3e9h3sd'; - connect-src 'self' https://client.containers.piwik.pro https://client.piwik.pro; - img-src 'self' https://client.containers.piwik.pro https://client.piwik.pro; - font-src 'self' https://client.containers.piwik.pro; - style-src 'self' https://client.containers.piwik.pro 'nonce-nceIOfn39fn3e9h3sd'; + connect-src 'self' https://client.piwik.pro; + img-src 'self' https://client.piwik.pro; + font-src 'self' https://client.piwik.pro; + style-src 'self' https://client.piwik.pro 'nonce-nceIOfn39fn3e9h3sd';