Cover self-hosted Google Tag Manager entries: "https://gtm.<domain>/gtm.js?id=GTM-..."

[philipp-classen]

Matches entries like:

• (Found on idealo.de) https://gtm.idealo.de/gtm.js?id=GTM-WVMX98J

Not sure how common the setup is; but if a domain has a subdomain gtm and serves from there /gtm.js?id=GTM-..., false-positives should be fairly unlikely.

[BrianClifton]

I would be tempted to classify this separately as "server-side GTM" or similar wording.

Its a growing enterprise configuration to avoid 3P script blocking by Safari et al.

Subdomains can literally be anything (e.g. my preferred choice is sgtm). Therefore my suggestion is to keep it simple and filter only on: /gtm.js

We have used this filter within our own app for approx 1 year and I have not found any issues.

[philipp-classen]

I would be tempted to classify this separately as "server-side GTM" or similar wording.

Its a growing enterprise configuration to avoid 3P script blocking by Safari et al.

Subdomains can literally be anything (e.g. my preferred choice is sgtm). Therefore my suggestion is to keep it simple and filter only on: /gtm.js

We have used this filter within our own app for approx 1 year and I have not found any issues.

Removing the domain check makes sense to me. Do you know if it general enough to keep the prefix check (id=GTM-), or do IDs also tend to vary in those setup?

We could split the entries to distinguish between the traditional and the server-side setup. I think, we could express it to match on any domain except for googletagmanager.com and use that in a separate pattern.

[BrianClifton]

I would be tempted to classify this separately as "server-side GTM" or similar wording.
Its a growing enterprise configuration to avoid 3P script blocking by Safari et al.
Subdomains can literally be anything (e.g. my preferred choice is sgtm). Therefore my suggestion is to keep it simple and filter only on: /gtm.js
We have used this filter within our own app for approx 1 year and I have not found any issues.

Removing the domain check makes sense to me. Do you know if it general enough to keep the prefix check (id=GTM-), or do IDs also tend to vary in those setup?

We could split the entries to distinguish between the traditional and the server-side setup. I think, we could express it to match on any domain except for googletagmanager.com and use that in a separate pattern.

Within our app we did not include any query parameters in the filter.

I have not seen an id parameter with another prefix, but it is possible. For example, these types of client side requests are common: https://www.googletagmanager.com/gtag/js?id=AW-

[philipp-classen]

I would be tempted to classify this separately as "server-side GTM" or similar wording.
Its a growing enterprise configuration to avoid 3P script blocking by Safari et al.
Subdomains can literally be anything (e.g. my preferred choice is sgtm). Therefore my suggestion is to keep it simple and filter only on: /gtm.js
We have used this filter within our own app for approx 1 year and I have not found any issues.

Removing the domain check makes sense to me. Do you know if it general enough to keep the prefix check (id=GTM-), or do IDs also tend to vary in those setup?
We could split the entries to distinguish between the traditional and the server-side setup. I think, we could express it to match on any domain except for googletagmanager.com and use that in a separate pattern.

Within our app we did not include any query parameters in the filter.

I have not seen an id parameter with another prefix, but it is possible. For example, these types of client side requests are common: https://www.googletagmanager.com/gtag/js?id=AW-

Thanks for the information. I think, we can start with including the "id=" matching for the start to avoid false-positives. And then either extend it to more prefixes or even drop it.

Changing it to a draft now. Will later try out if the pattern can be split into the server-side version.

[philipp-classen]

Split it into a separate pattern now: "Server-side Google Tag Manager", which matches only first-party requests.