Replace gtm script with nonce compatible version

app/helpers/auth_helper.rb

@@ -164,10 +164,25 @@ module AuthHelper
   end
 
   def google_tag_manager_enabled?
-    Gitlab.com? &&
+    return false unless Gitlab.dev_env_or_com?
+
+    has_config_key = if Feature.enabled?(:gtm_nonce, type: :ops)
+                       extra_config.has_key?('google_tag_manager_nonce_id') &&
+                          extra_config.google_tag_manager_nonce_id.present?
+                     else
                        extra_config.has_key?('google_tag_manager_id') &&
-      extra_config.google_tag_manager_id.present? &&
-      !current_user
+                          extra_config.google_tag_manager_id.present?
+                     end
+
+    has_config_key && !current_user
+  end
+
+  def google_tag_manager_id
+    return unless google_tag_manager_enabled?
+
+    return extra_config.google_tag_manager_nonce_id if Feature.enabled?(:gtm_nonce, type: :ops)
+
+    extra_config.google_tag_manager_id
   end
 
   def auth_app_owner_text(owner)

app/views/layouts/_google_tag_manager_body.html.haml

 - return unless google_tag_manager_enabled?
 
-<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=#{extra_config.google_tag_manager_id}"
+<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=#{google_tag_manager_id}"
 height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

app/views/layouts/_google_tag_manager_head.html.haml

-- if google_tag_manager_enabled?
+- return unless google_tag_manager_enabled?
+
+- if Feature.enabled?(:gtm_nonce, type: :ops)
+  = javascript_tag do
+    :plain
+      (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+      new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+      j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+      'https://www.googletagmanager.com/gtm.js?id='+i+dl;var n=d.querySelector('[nonce]');
+      n&&j.setAttribute('nonce',n.nonce||n.getAttribute('nonce'));f.parentNode.insertBefore(j,f);
+      })(window,document,'script','dataLayer','#{google_tag_manager_id}');
+- else
   = javascript_tag do
     :plain
       (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
       new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
       j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
       'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
-      })(window,document,'script','dataLayer','#{extra_config.google_tag_manager_id}');
+      })(window,document,'script','dataLayer','#{google_tag_manager_id}');

config/feature_flags/ops/gtm_nonce.yml

+---
+name: gtm_nonce
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/58494
+rollout_issue_url:
+milestone: '14.6'
+type: ops
+group: group::product intelligence
+default_enabled: false

lib/gitlab/content_security_policy/directives.rb

@@ -8,7 +8,7 @@ module Gitlab
   module ContentSecurityPolicy
     module Directives
       def self.frame_src
-        "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+        "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html"
       end
 
       def self.script_src

spec/helpers/auth_helper_spec.rb

@@ -283,26 +283,39 @@ RSpec.describe AuthHelper do
 
     before do
       allow(Gitlab).to receive(:com?).and_return(is_gitlab_com)
-      stub_config(extra: { google_tag_manager_id: 'key' })
       allow(helper).to receive(:current_user).and_return(user)
     end
 
-    subject(:google_tag_manager_enabled?) { helper.google_tag_manager_enabled? }
-
-    context 'on gitlab.com and a key set without a current user' do
-      it { is_expected.to be_truthy }
-    end
+    subject(:google_tag_manager_enabled) { helper.google_tag_manager_enabled? }
 
     context 'when not on gitlab.com' do
       let(:is_gitlab_com) { false }
 
-      it { is_expected.to be_falsey }
+      it { is_expected.to eq(false) }
+    end
+
+    context 'regular and nonce versions' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:gtm_nonce_enabled, :gtm_key) do
+        false | 'google_tag_manager_id'
+        true  | 'google_tag_manager_nonce_id'
+      end
+
+      with_them do
+        before do
+          stub_feature_flags(gtm_nonce: gtm_nonce_enabled)
+          stub_config(extra: { gtm_key => 'key' })
+        end
+
+        context 'on gitlab.com and a key set without a current user' do
+          it { is_expected.to be_truthy }
         end
 
         context 'when current user is set' do
           let(:user) { instance_double('User') }
 
-      it { is_expected.to be_falsey }
+          it { is_expected.to eq(false) }
         end
 
         context 'when no key is set' do
@@ -310,8 +323,44 @@ RSpec.describe AuthHelper do
             stub_config(extra: {})
           end
 
+          it { is_expected.to eq(false) }
+        end
+      end
+    end
+  end
+
+  describe '#google_tag_manager_id' do
+    subject(:google_tag_manager_id) { helper.google_tag_manager_id }
+
+    before do
+      stub_config(extra: { 'google_tag_manager_nonce_id': 'nonce', 'google_tag_manager_id': 'gtm' })
+    end
+
+    context 'when google tag manager is disabled' do
+      before do
+        allow(helper).to receive(:google_tag_manager_enabled?).and_return(false)
+      end
+
       it { is_expected.to be_falsey }
     end
+
+    context 'when google tag manager is enabled' do
+      before do
+        allow(helper).to receive(:google_tag_manager_enabled?).and_return(true)
+      end
+
+      context 'when nonce feature flag is enabled' do
+        it { is_expected.to eq('nonce') }
+      end
+
+      context 'when nonce feature flag is disabled' do
+        before do
+          stub_feature_flags(gtm_nonce: false)
+        end
+
+        it { is_expected.to eq('gtm') }
+      end
+    end
   end
 
   describe '#auth_app_owner_text' do