1

I want to integrate the Google Adwords conversion script to my web app, therefore I have to extend my CSP rule to allow this one.

I face problem allowing https://www.google.xx/ads/ into script-src policy because it looks like, depending of the region, that the domain gonna change.

For example, if I access the page in Switzerland, the allowed script should be https://www.google.ch/ads/ but if I access it in Romania, the allowed script should be https://www.google.ro/ads/ etc.

How could I allow all domains in my policy without having to list all countries and regions of the world?

Thx in advance for the help

P.S.: Console stacktrace

Refused to load the script 'https://www.google.ro/ads/user-lists/8...

P.P.S: I tried to whitelist it using nonce but it looks like that the following script can't be whitelisted like this

<script nonce="random-base64">
  window.dataLayer = window.dataLayer || [];
  var gtag = function gtag(){ // <---- There, CSP problem
    dataLayer.push(arguments);
  };
  gtag('js', new Date());

  gtag('config', 'SOMETHING');
</script>

P.P.P.S.: Same problem with img-src btw. Google Adwords CSP (content security policy) img-src

David Dal Busco
  • 7,975
  • 15
  • 55
  • 96

1 Answers1

3

How could I allow all domains in my policy without having to list all countries and regions of the world?

You don't. There's no TLD-level whitelist; and for good reason. You can't possibly guarantee that a different TLD with the same main domain is the same entity, so a wildcard would make no sense.

With Google Adsense as well I've had this issue, and basically your only options are an excessive whitelist (manually listing every possible domain and hoping they don't add new ones), an even more excessive global whitelist (this is extremely not recommended), or just listing the most common countries of origin and accepting that some geolocales will be excluded.

The third option is generally the best, I use adsense not adwords, but most of my traffic comes from the US and I'm willing to lose ad impressions from a few specific countries with low hit counts to keep from maintaining an absurd list.

The only real solution here can come from Google: they have to stop serving resources from different TLDs (this is, IMO, a terrible practice in all cases since HREF LANG tags are a thing anyway). Kind of surprised Google is even still doing it in 2018 with CSP being a moderately big deal but here we are.

As for img-src just use https: IMO. It's okay to over-eagerly load images if you're dealing with an unpredictable third party domain set. CSP is meant to block dangerous content. img-src is a pretty low risk factor and would pretty much have to be mixed with a second exploit to cause real harm.

Ben Brocka
  • 2,006
  • 4
  • 34
  • 53