Comments (10)
thanks for raising this topic!
I think this is probably too complicated to automate - as we have many different integrations here and the CSP header can be rather complex (afaik). Also I don't think it is a good idea to automatically change a security header and users should do that intentionally.
Would be good to hear other thoughts on this.
Maybe an entry in the readme should be added?
from rack-tracker.
the CSP header can be rather complex
no, it's actually quite simple. the parsing instructions are 6 points.
https://w3c.github.io/webappsec-csp/2/#syntax-and-algorithms
don't think it is a good idea to automatically change a security header
well, could be controllabe. but you'll need it guaranteed if you're deploying a csp.
from rack-tracker.
so your suggestion would be to automatically add domains of the included integrations?
we just need a general function (not just google), so each handler should know what domain(s) to add.
and maybe we can make this feature configurable.
from rack-tracker.
so your suggestion would be to automatically add domains of the included integrations?
either that or give a warning if a csp is set but missing the handler's sources. the warning maybe a sensible approach between modifying the header and doing nothing at all?
we just need a general function (not just google), so each handler should know what domain(s) to add.
yes
and maybe we can make this feature configurable.
yes. via an option.
from rack-tracker.
the nonce-src feature of csp just came to my mind. instead of adding each script url for each handler in use, rack-tracker
could generate a nonce value, add that to each script tag and add that nonce to the csp. that's one single approach to white-list all rack-tracker-injected scripts independent from the tracker's actual script source.
https://w3c.github.io/webappsec-csp/2/#script-src-nonce-usage
from rack-tracker.
yeah, I was also thinking about that topic for rack tracker a couple weeks ago.
CSP is maybe the best mechanism available against XSS.
But in my opinion it's not so easy to have a strong CSP and use tracking scripts at the same time.
Yes, one solution would definitely be a nonce based approach.
Rails 5.2+ has this out of the box. We would just need to pass it through, when initializing the handler in the controller and add it to the script tags.
But the problem is that some tracking scripts (at least the famous ones) require the insafe-inline option on src and style directives. And when I understood CSP correct, you can't have both... using unsafe-inline for some scripts, but also use a nonce. 🤷♂
Which makes the whole use of a CSP policy pointless in my opinion...
Working around this, would require a controller based decision, of enabling/disabling the CSP vs a nonce approach for others where you don't need tracking?
I don't know. The Rails Guides have only a short entry on that topic.
Please advise :)
from rack-tracker.
But the problem is that some tracking scripts (at least the famous ones) require the insafe-inline option on src and style directives. And when I understood CSP correct, you can't have both
crap, you're right. was a nice dream, though.
Please advise :)
🤔
may be relevant: https://ayesh.me/google-analytics-csp
TL;DR
? Move your inline Analytics script to a separate file
✅ Allow scripts from www.google-analytics.com with script-src directive.
✅ Allow images from www.google-analytics.com with img-src.
➡️ Content-Security-Policy: script-src www.google-analytics.com; img-src www.google-analytics.com
⚠️ Take note that the above is not your final CSP.
from rack-tracker.
also relevant, specifically for google: https://developers.google.com/tag-manager/web/csp
tl;dr: it's a clusterfuck.
from rack-tracker.
yeah CSP and tracking conflicts quite a lot :D
When there is no easy solution, I would recommend that we add a short general guidance on that topic to the readme.
Would you like to start something for this? :)
from rack-tracker.
I close this for now. Let's reopen this, when the topic comes up again
from rack-tracker.
Related Issues (20)
- No such handler: Facebook pixel (ArgumentError) HOT 3
- How to use outside of controller? HOT 5
- Google Analytics using the beacon transport HOT 1
- Syntax when using rack-tracker for both Google Analytics and Google Ads HOT 4
- Bing tracking HOT 1
- Sending rack-tracker events from "backend" code HOT 3
- Render templates directly for JS responses HOT 3
- Google Tag Manager with turbolinks: true duplicates pageView when using Push HOT 6
- No events being injected into the page HOT 1
- Google Global integration: purchase transaction_id HOT 7
- how to set user_id? HOT 1
- Avoid injection for AMP pages HOT 9
- How can I use the tracker in a model or service? HOT 3
- Remote form and AJAX request redirects never run events HOT 2
- syntax error, unexpected ':', expecting keyword_end (SyntaxError) HOT 6
- Can not get FacebookPixel to work HOT 1
- Add Support for Reddit Ads Pixel HOT 3
- Update is coming ? Google Analytics 4 GA4 Killed my groove HOT 11
- Can't Override Default google_tag_manager Event
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rack-tracker.