Skip to content

feat(security): add GTM and GA domains to CSP for hosted environments#4024

Merged
waleedlatif1 merged 2 commits intostagingfrom
waleedlatif1/add-gtm-ga-hosted
Apr 7, 2026
Merged

feat(security): add GTM and GA domains to CSP for hosted environments#4024
waleedlatif1 merged 2 commits intostagingfrom
waleedlatif1/add-gtm-ga-hosted

Conversation

@waleedlatif1
Copy link
Copy Markdown
Collaborator

@waleedlatif1 waleedlatif1 commented Apr 7, 2026

Summary

  • Add GTM and GA domains to CSP script-src, img-src, connect-src, and frame-src directives
  • Updates both buildTimeCSPDirectives and generateRuntimeCSP()
  • All additions gated behind isHosted

Follows up on #3993 which added the GTM/GA scripts but missed the CSP allowlisting.

Type of Change

  • Bug fix

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Apr 7, 2026 8:39pm

Request Review

@cursor
Copy link
Copy Markdown

cursor bot commented Apr 7, 2026
edited
Loading

PR Summary

Medium Risk
Changes Content Security Policy allowlists to permit additional third-party Google domains in hosted environments, which can affect XSS containment if misconfigured. Scope is limited to CSP generation and gated behind isHosted.

Overview
Updates CSP generation to allow Google Tag Manager and Google Analytics domains when running in hosted mode (isHosted). This extends both build-time directives and the runtime CSP string to include GTM/GA entries in script-src, img-src, connect-src, and frame-src, and adjusts the CSP unit test mocks to include isHosted.

Reviewed by Cursor Bugbot for commit 1ce2a2f. Configure here.

@waleedlatif1 waleedlatif1 mentioned this pull request Apr 7, 2026
Merged
@waleedlatif1 waleedlatif1 force-pushed the waleedlatif1/add-gtm-ga-hosted branch from 24c4cbe to de69cc2 Compare April 7, 2026 20:29
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 7, 2026
edited
Loading

Greptile Summary

This PR follows up on #3993 by adding the missing CSP allowlist entries for Google Tag Manager (GTM) and Google Analytics (GA) in hosted environments. Without these entries, browsers would block GTM/GA resources despite the scripts being loaded, producing CSP violation reports and broken analytics.

  • GTM (https://www.googletagmanager.com) and GA (https://www.google-analytics.com) added to script-src and img-src
  • Wildcard subdomains (https://*.google-analytics.com, https://*.analytics.google.com) added to connect-src for GA4 collection endpoints
  • GTM added to frame-src for the GTM preview/debug iframe
  • All four directives updated consistently in both buildTimeCSPDirectives (build time) and generateRuntimeCSP() (runtime middleware), with matching domain sets across both paths
  • All additions are correctly gated behind isHosted, leaving self-hosted deployments unaffected
  • The gtmImg variable pattern (flagged in a prior review) has been applied correctly alongside gtmScript, gtmConnect, and gtmFrame
  • The test file adds isHosted: false to the mock but has no test cases for the isHosted: true code path that exercises the new GTM domains

Confidence Score: 5/5

Safe to merge — the CSP additions are correct, consistent across both policy paths, and properly gated behind isHosted

All GTM/GA domains are identical between buildTimeCSPDirectives and generateRuntimeCSP(), the isHosted gate is applied correctly everywhere, and there are no logic or security regressions. The only remaining finding is P2: missing test coverage for the isHosted: true path, which does not block merge.

csp.test.ts — a separate hosted-mode test file would improve confidence in the new GTM domain additions

Important Files Changed

Filename Overview
apps/sim/lib/core/security/csp.ts Adds GTM/GA domains to all four relevant CSP directives in both build-time and runtime paths, consistently gated behind isHosted with matching domain sets across both code paths
apps/sim/lib/core/security/csp.test.ts Adds isHosted: false to the feature-flags mock, but no test cases cover the isHosted: true path exercising the new GTM/GA domain additions

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CSP header generation] --> B{isHosted?}
    B -->|true| C[Add GTM/GA domains]
    B -->|false| D[Standard CSP only]
    C --> E[script-src\ngoogletagmanager.com\ngoogle-analytics.com]
    C --> F[img-src\ngoogletagmanager.com\ngoogle-analytics.com]
    C --> G[connect-src\ngoogletagmanager.com\n*.google-analytics.com\n*.analytics.google.com]
    C --> H[frame-src\ngoogletagmanager.com]
    E & F & G & H --> I[Final CSP Header]
    D --> I
Loading

Reviews (2): Last reviewed commit: "lint" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps bot reviewed Apr 7, 2026
View reviewed changes
@waleedlatif1 waleedlatif1 force-pushed the waleedlatif1/add-gtm-ga-hosted branch from de69cc2 to 1ce2a2f Compare April 7, 2026 20:37
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@cursor review

@waleedlatif1 waleedlatif1 merged commit e2d4d0e into staging Apr 7, 2026
11 checks passed
@waleedlatif1 waleedlatif1 deleted the waleedlatif1/add-gtm-ga-hosted branch April 7, 2026 20:49
cursor[bot]
cursor bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 1ce2a2f. Configure here.

apps/sim/lib/core/security/csp.ts
'https://s3.amazonaws.com',
'https://github.com/*',
'https://collector.onedollarstats.com',
...(isHosted ? ['https://www.googletagmanager.com', 'https://www.google-analytics.com'] : []),
Copy link
Copy Markdown

@cursor cursor bot Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CSP img-src uses exact domains instead of wildcards

Medium Severity

The img-src directive uses exact www. domains (https://www.google-analytics.com, https://www.googletagmanager.com) while the connect-src directive in the same PR correctly uses wildcards (https://*.google-analytics.com). Google's official CSP documentation for GA4 explicitly recommends wildcards for img-src too: https://*.google-analytics.com https://*.googletagmanager.com. GA tracking pixels can be served from non-www subdomains (e.g., regional endpoints), which would be blocked by the exact-domain img-src entries. This inconsistency exists in both buildTimeCSPDirectives and gtmImg in generateRuntimeCSP().

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1ce2a2f. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1