Merge pull request #11 from silverstripeltd/feature/gtm-missing-directive-updates

Google Services fragment updates

Author: jareddreyerss

README.md

@@ -80,6 +80,16 @@ public function configure(): void
 }
 ```
 
+## Google Tag Manager / Adservices whitelist
+Google uses localised regional domains for visitors for image tracker loading, which can pile up report violations with `google.com|.co.nz|.com.au` etc in your reporting tool.
+To resolve this and rather than specifying all of Google's listed support domains (see https://www.google.com/supported_domains)
+A white list config can be set to the GTM fragment to whitelist all `https:` URLs on the `img-src` directive, for example:
+```yaml
+Silverstripe\CSP\Fragments\GoogleTagManager:
+  whitelist_google_regional_domains: true
+```
+> See also ImagesOverHTTPs::class for more basic cover of https images.
+
 ## SRI
 We also support SRI in this module, you can enable this via yaml:
 ```yaml

src/Fragments/GoogleMaps.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace App\ContentSecurity\Fragments;
+
+use Silverstripe\CSP\Directive;
+use Silverstripe\CSP\Fragments\Fragment;
+use Silverstripe\CSP\Policies\Policy;
+
+/*
+ * Allows execution of Google Maps API related resources
+ * Nonce on the https://maps.google.com/maps/api/js URL is required before using this fragment.
+ *
+ * https://content-security-policy.com/examples/google-maps/
+ */
+class GoogleMaps implements Fragment
+{
+    public static function addTo(Policy $policy): void
+    {
+         $policy
+             ->addDirective(Directive::CONNECT, 'https://maps.googleapis.com')
+             ->addDirective(Directive::IMG,
+                 [
+                    'https://maps.gstatic.com',
+                    'https://*.googleapis.com',
+                    'https://*.ggpht.com'
+                 ]
+             );
+    }
+}

src/Fragments/GoogleTagManager.php

@@ -2,6 +2,7 @@
 
 namespace Silverstripe\CSP\Fragments;
 
+use SilverStripe\Core\Config\Configurable;
 use Silverstripe\CSP\Directive;
 use Silverstripe\CSP\Keyword;
 use Silverstripe\CSP\Policies\Policy;
@@ -12,6 +13,10 @@
  */
 class GoogleTagManager implements Fragment
 {
+    use Configurable;
+
+    private static bool $whitelist_google_regional_domains = false;
+
     public static function addTo(Policy $policy): void
     {
         self::undocumented($policy);
@@ -25,14 +30,33 @@ public static function addTo(Policy $policy): void
     }
 
     /*
-     * These were ones not in the docs and had issues popping up
+     * CSP reported directive URIs that were not covered in the google docs
+     * and were continually over reporting CSP URI infringements.
+     *
+     * https://developers.google.com/web/fundamentals/security/csp#implementation_details
      */
     public static function undocumented(Policy $policy): void
     {
         $policy
-            ->addDirective(Directive::FRAME, '*.doubleclick.net')
-            ->addDirective(Directive::CONNECT, '*.doubleclick.net')
-            ->addDirective(Directive::IMG, '*.doubleclick.net');
+            ->addDirective(Directive::FRAME,
+                [
+                    'https://*.doubleclick.net',
+                    'https://stats.g.doubleclick.net',
+                    'http://bid.g.doubleclick.net',
+                ]
+            )
+            ->addDirective(Directive::CONNECT, [
+                'https://adservice.google.com',
+                'https://www.google.com',
+                'https://*.doubleclick.net',
+            ]);
+
+        // Google uses localised regional endpoint domains for their services
+        // if seeing regional google domain report violations
+        // setting this config will whitelist all img-src to allow 'https:'.
+        if (self::config()->get('whitelist_google_regional_domains') === true) {
+            $policy->addDirective(Directive::IMG, Scheme::HTTPS);
+        }
     }
 
     /*