Replace gtm script with nonce compatible version

6bb09903 · Nicolas Dular · Vitaly Slobodin · 89099ed4 · 6bb09903 · 6bb09903
Commit 6bb09903 authored Nov 23, 2021 by Nicolas Dular Committed by Vitaly Slobodin Nov 23, 2021
6 changed files
--- a/app/helpers/auth_helper.rb
+++ b/app/helpers/auth_helper.rb
@@ -164,10 +164,25 @@ module AuthHelper
  end

  def google_tag_manager_enabled?
-    Gitlab.com? &&
-      extra_config.has_key?('google_tag_manager_id') &&
-      extra_config.google_tag_manager_id.present? &&
-      !current_user
+    return false unless Gitlab.dev_env_or_com?
+
+    has_config_key = if Feature.enabled?(:gtm_nonce, type: :ops)
+                       extra_config.has_key?('google_tag_manager_nonce_id') &&
+                          extra_config.google_tag_manager_nonce_id.present?
+                     else
+                       extra_config.has_key?('google_tag_manager_id') &&
+                          extra_config.google_tag_manager_id.present?
+                     end
+
+    has_config_key && !current_user
+  end
+
+  def google_tag_manager_id
+    return unless google_tag_manager_enabled?
+
+    return extra_config.google_tag_manager_nonce_id if Feature.enabled?(:gtm_nonce, type: :ops)
+
+    extra_config.google_tag_manager_id
  end

  def auth_app_owner_text(owner)

--- a/app/views/layouts/_google_tag_manager_body.html.haml
+++ b/app/views/layouts/_google_tag_manager_body.html.haml
 - return unless google_tag_manager_enabled?

-<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=#{extra_config.google_tag_manager_id}"
+<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=#{google_tag_manager_id}"
 height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
--- a/app/views/layouts/_google_tag_manager_head.html.haml
+++ b/app/views/layouts/_google_tag_manager_head.html.haml
- if google_tag_manager_enabled?
+- return unless google_tag_manager_enabled?
+
+- if Feature.enabled?(:gtm_nonce, type: :ops)
+  = javascript_tag do
+    :plain
+      (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+      new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+      j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+      'https://www.googletagmanager.com/gtm.js?id='+i+dl;var n=d.querySelector('[nonce]');
+      n&&j.setAttribute('nonce',n.nonce||n.getAttribute('nonce'));f.parentNode.insertBefore(j,f);
+      })(window,document,'script','dataLayer','#{google_tag_manager_id}');
+- else
  = javascript_tag do
    :plain
      (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
      new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
      j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
      'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
-      })(window,document,'script','dataLayer','#{extra_config.google_tag_manager_id}');
+      })(window,document,'script','dataLayer','#{google_tag_manager_id}');
--- a/config/feature_flags/ops/gtm_nonce.yml
+++ b/config/feature_flags/ops/gtm_nonce.yml
+---
+name: gtm_nonce
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/58494
+rollout_issue_url:
+milestone: '14.6'
+type: ops
+group: group::product intelligence
+default_enabled: false
--- a/lib/gitlab/content_security_policy/directives.rb
+++ b/lib/gitlab/content_security_policy/directives.rb
@@ -8,7 +8,7 @@ module Gitlab
  module ContentSecurityPolicy
    module Directives
      def self.frame_src
-        "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+        "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html"
      end

      def self.script_src

--- a/spec/helpers/auth_helper_spec.rb
+++ b/spec/helpers/auth_helper_spec.rb
@@ -283,35 +283,84 @@ RSpec.describe AuthHelper do

    before do
      allow(Gitlab).to receive(:com?).and_return(is_gitlab_com)
-      stub_config(extra: { google_tag_manager_id: 'key' })
      allow(helper).to receive(:current_user).and_return(user)
    end

-    subject(:google_tag_manager_enabled?) { helper.google_tag_manager_enabled? }
-
-    context 'on gitlab.com and a key set without a current user' do
-      it { is_expected.to be_truthy }
-    end
+    subject(:google_tag_manager_enabled) { helper.google_tag_manager_enabled? }

    context 'when not on gitlab.com' do
      let(:is_gitlab_com) { false }

-      it { is_expected.to be_falsey }
+      it { is_expected.to eq(false) }
    end

-    context 'when current user is set' do
-      let(:user) { instance_double('User') }
+    context 'regular and nonce versions' do
+      using RSpec::Parameterized::TableSyntax

-      it { is_expected.to be_falsey }
+      where(:gtm_nonce_enabled, :gtm_key) do
+        false | 'google_tag_manager_id'
+        true  | 'google_tag_manager_nonce_id'
+      end
+
+      with_them do
+        before do
+          stub_feature_flags(gtm_nonce: gtm_nonce_enabled)
+          stub_config(extra: { gtm_key => 'key' })
+        end
+
+        context 'on gitlab.com and a key set without a current user' do
+          it { is_expected.to be_truthy }
+        end
+
+        context 'when current user is set' do
+          let(:user) { instance_double('User') }
+
+          it { is_expected.to eq(false) }
+        end
+
+        context 'when no key is set' do
+          before do
+            stub_config(extra: {})
+          end
+
+          it { is_expected.to eq(false) }
+        end
+      end
+    end
+  end
+
+  describe '#google_tag_manager_id' do
+    subject(:google_tag_manager_id) { helper.google_tag_manager_id }
+
+    before do
+      stub_config(extra: { 'google_tag_manager_nonce_id': 'nonce', 'google_tag_manager_id': 'gtm' })
    end

-    context 'when no key is set' do
+    context 'when google tag manager is disabled' do
      before do
-        stub_config(extra: {})
+        allow(helper).to receive(:google_tag_manager_enabled?).and_return(false)
      end

      it { is_expected.to be_falsey }
    end
+
+    context 'when google tag manager is enabled' do
+      before do
+        allow(helper).to receive(:google_tag_manager_enabled?).and_return(true)
+      end
+
+      context 'when nonce feature flag is enabled' do
+        it { is_expected.to eq('nonce') }
+      end
+
+      context 'when nonce feature flag is disabled' do
+        before do
+          stub_feature_flags(gtm_nonce: false)
+        end
+
+        it { is_expected.to eq('gtm') }
+      end
+    end
  end

  describe '#auth_app_owner_text' do