Nginx CSP Update

index.html

@@ -4,12 +4,50 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/png" href="/favicon.png" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Small Business Lending Data Submission Platform | Consumer Financial Protection Bureau</title>
-    <meta name="robots" content="noindex">
-    <meta name="description" content="Use the CFPB small business lending data submission platform to upload your lending data, review validation results, and submit your filing." />
+    <title>
+      Small Business Lending Data Submission Platform | Consumer Financial
+      Protection Bureau
+    </title>
+    <meta name="robots" content="noindex" />
+    <meta
+      name="description"
+      content="Use the CFPB small business lending data submission platform to upload your lending data, review validation results, and submit your filing."
+    />
     <meta name="theme-color" content="#42b883" />
+    <!-- Google Tag Manager -->
+    <link
+      rel="preconnect"
+      href="https://www.googletagmanager.com"
+      crossorigin
+    />
+    <script nonce="nonce-placeholder">
+      (function (w, d, s, l, i) {
+        w[l] = w[l] || [];
+        w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' });
+        var f = d.getElementsByTagName(s)[0],
+          j = d.createElement(s),
+          dl = l != 'dataLayer' ? '&l=' + l : '';
+        j.async = true;
+        j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
+        var n = d.querySelector('[nonce]');
+        n && j.setAttribute('nonce', n.nonce || n.getAttribute('nonce'));
+        f.parentNode.insertBefore(j, f);
+      })(window, document, 'script', 'dataLayer', 'GTM-M4MJJB7P');
+    </script>
+    <!-- End Google Tag Manager -->
   </head>
   <body>
+    <!-- Google Tag Manager (noscript) -->
+    <noscript>
+      <iframe
+        src="https://www.googletagmanager.com/ns.html?id=GTM-M4MJJB7P"
+        height="0"
+        width="0"
+        style="display: none; visibility: hidden"
+      >
+      </iframe>
+    </noscript>
+    <!-- End Google Tag Manager (noscript) -->
     <noscript>You need to enable JavaScript to run this app.</noscript>
     <div id="root"></div>
     <!-- import-meta-env env var injection occurs below for production builds / cache busting -->

nginx/nginx.conf

@@ -35,8 +35,15 @@ http {
     ~localhost  "https://*.cfpb.gov localhost:*";
     default     "https://*.cfpb.gov";
   }
+
+  # nonce Injection
+  proxy_set_header Accept-Encoding "";
+  sub_filter_once off;
+  sub_filter_types *;
+  sub_filter nonce-placeholder $request_id;
+
   # CSP
-  add_header Content-Security-Policy "default-src 'self' blob:; script-src 'self' 'unsafe-inline' blob: data: ${cfpb_domains} https://tagmanager.google.com https://www.googletagmanager.com https://www.google-analytics.com https://www.consumerfinance.gov https://cdn.mouseflow.com; img-src 'self' blob: data: https://www.google-analytics.com https://raw.githubusercontent.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; frame-src 'self' https://www.youtube.com/ https://ffiec.cfpb.gov/; connect-src 'self' ${cfpb_domains} https://www.consumerfinance.gov https://raw.githubusercontent.com https://ffiec-api.cfpb.gov https://ffiec.cfpb.gov https://*.mapbox.com https://www.google-analytics.com https://s3.amazonaws.com http://*.algolia.net https://stats.g.doubleclick.net;";
+  add_header Content-Security-Policy "default-src 'self' blob:; script-src 'self' 'nonce-$request_id' blob: data: ${cfpb_domains} https://dap.digitalgov.gov https://tagmanager.google.com https://www.googletagmanager.com https://www.google-analytics.com https://www.consumerfinance.gov https://cdn.mouseflow.com; img-src 'self' blob: data: https://www.google-analytics.com https://raw.githubusercontent.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; frame-src 'self' https://www.youtube.com/ https://ffiec.cfpb.gov/; connect-src 'self' ${cfpb_domains} https://www.consumerfinance.gov https://raw.githubusercontent.com https://ffiec-api.cfpb.gov https://ffiec.cfpb.gov https://*.mapbox.com https://www.google-analytics.com https://s3.amazonaws.com http://*.algolia.net https://stats.g.doubleclick.net;";
 
   # Restrict referrer
   add_header Referrer-Policy "strict-origin";