wip: more appropriate GTM-related CSP

mbta · Nov 22, 2024 · ff0870b · ff0870b
1 parent d0e37ef
commit ff0870b
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/lib/dotcom_web/plugs/secure_headers.ex b/lib/dotcom_web/plugs/secure_headers.ex
@@ -14,8 +14,9 @@ defmodule DotcomWeb.Plugs.SecureHeaders do
       analytics.google.com
       px.ads.linkedin.com
       stats.g.doubleclick.net
-      www.google-analytics.com
-      www.google.com
+      https://*.google-analytics.com
+      https://*.analytics.google.com
+      https://*.googletagmanager.com
     ],
     default: ~w[default-src 'none'],
     font: ~w[font-src 'self'],
@@ -44,14 +45,13 @@ defmodule DotcomWeb.Plugs.SecureHeaders do
       px.ads.linkedin.com
       www.linkedin.com
       www.facebook.com
-      www.googletagmanager.com
+      https://*.google-analytics.com
     ],
     script: ~w[
       script-src
       'nonce-{NONCE}'
       'self'
       'unsafe-eval'
-      'unsafe-inline'
       *.arcgis.com
       *.google.com
       *.googleapis.com
@@ -62,7 +62,7 @@ defmodule DotcomWeb.Plugs.SecureHeaders do
       www.instagram.com
       www.google-analytics.com
       www.gstatic.com
-      www.googletagmanager.com
+      https://*.googletagmanager.com
     ],
     style: ~w[style-src 'self' 'unsafe-inline' www.gstatic.com],
     worker: ~w[worker-src blob: ;]