Skip to content

added nonce to analytics #953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
taoteg merged 1 commit into from
May 21, 2025
Merged

added nonce to analytics #953

taoteg merged 1 commit into from
May 21, 2025

Conversation

@taoteg
Copy link
Contributor

@taoteg taoteg commented May 21, 2025

Overview

Checking for delta between main and dev branch.

Related

Changes

Added nonce for analytics requests.

Testing

  1. Build and deploy Core-CMS in prod.cep to verify that analytics are still being tracked properly.
  2. Will have to either:
    2A. Find the logging from ITS scans being run against the host to see if the flagged issue has been resolved in the security scans.
    2B. Find a way to validate the nonce directly (some kind of bash check I suspect).

UI

None.

@taoteg taoteg requested a review from happycodemonkey May 21, 2025 18:11
happycodemonkey
happycodemonkey approved these changes May 21, 2025
View reviewed changes
Copy link
Member

@happycodemonkey happycodemonkey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

@taoteg taoteg merged commit bf5f2de into main May 21, 2025
@taoteg taoteg deleted the task/add-nonce-for-analytics branch May 21, 2025 18:14
wesleyboar
wesleyboar reviewed May 22, 2025
View reviewed changes
Copy link
Member

@wesleyboar wesleyboar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have concerns.

taccsite_cms/templates/analytics.html
{% else %}
<!-- Global site tag (gtag.js) & Google Analytics Code for Site. -->
<script async src="https://www.googletagmanager.com/gtag/js?id={{ settings.GOOGLE_ANALYTICS_PROPERTY_ID }}"></script>
<script async nonce="CSP_NONCE" src="https://www.googletagmanager.com/gtag/js?id={{ settings.GOOGLE_ANALYTICS_PROPERTY_ID }}"></script>
Copy link
Member

@wesleyboar wesleyboar May 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a static string value. I think a nonce is suppose to be a random value per HTTP response.

  1. Is this a test? If so, why merge instead of build image from branch?

  2. Why do we now need a nonce? Is it because Google Analytics changed something, and we should "avoid using the CSP unsafe-inline directive" as a solution?

    […] If you don't need nonce, don't use it. […] Always try to take full advantage of CSP protections and avoid nonces or unsafe inline scripts whenever possible.
    MDN: nonce

Note

@chandra-tacc's attempt at this was #672. It probably made a dynamic value, but added nonce on more elements than seemed necessary.

Copy link
Member

@wesleyboar wesleyboar May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Google also says nonce should be server-generated, but it says the nonce can be supplied in server config's "Content-Security-Policy" instead. That may be easier and cover all scripts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wesleyboar wesleyboar wesleyboar left review comments

@happycodemonkey happycodemonkey happycodemonkey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@taoteg @happycodemonkey @wesleyboar