What Is Content Security Policy<\/h2>\n\n\n\n
CSP is an HTTP header that tells the browser: \u201cYou may only run scripts from these sources.\u201d Nothing more, nothing less.<\/p>\n\n\n\n
Content-Security-Policy: \n script-src 'self' https:\/\/*.googletagmanager.com;\n connect-src 'self' https:\/\/*.google-analytics.com;\n img-src 'self' https:\/\/*.google-analytics.com;\n<\/code><\/pre>\n\n\n\nFor analytics, these directives matter most:<\/p>\n\n\n\n
\nscript-src<\/code><\/strong> \u2014 which scripts may execute (the critical one)<\/li>\n\n\n\nconnect-src<\/code><\/strong> \u2014 where data can be sent (XHR, fetch, beacons)<\/li>\n\n\n\nimg-src<\/code><\/strong> \u2014 where images (and tracking pixels) can load from<\/li>\n\n\n\nframe-src<\/code><\/strong> \u2014 allowed iframes<\/li>\n\n\n\nstyle-src<\/code><\/strong> \u2014 stylesheets (relevant for GTM preview mode)<\/li>\n<\/ul>\n\n\n\nThe browser doesn\u2019t distinguish between a \u201cfriendly\u201d GA4 script and malicious JavaScript.<\/strong> If a script isn\u2019t on the allowlist, the browser blocks it. Silently, with no warning for the user \u2014 and often no warning for you.<\/p>\n\n\n\nCSP protects against XSS attacks, data exfiltration, and malicious code injection. It does this well. The problem starts when a tag manager enters the equation.<\/p>\n\n\n\n
<\/div>\n\n\n\nWhy GTM Is a Nightmare for CSP<\/h2>\n\n\n\n
GTM operates on two levels \u2014 both problematic for CSP.<\/p>\n\n\n\n
Level one:<\/strong> the container snippet. An inline script in the page\u2019s <\/code>. Needs permission in script-src<\/code>.<\/p>\n\n\n\nLevel two:<\/strong> tags loaded by the container. GTM fetches its configuration and dynamically injects additional scripts \u2014 GA4, Meta Pixel, Hotjar, LinkedIn Insight Tag\u2026 Each vendor needs its own domains in CSP.<\/p>\n\n\n\nEvery new tag in GTM = a potential new domain in CSP.<\/strong> A marketer adds a tag in 2 minutes. Changing the CSP header requires a Jira ticket, code review, deploy, and waiting.<\/p>\n\n\n\nReal consequences of poor configuration:<\/p>\n\n\n\n
\n- Silent data loss<\/strong> \u2014 tracking stops working, but nobody notices. The data gap can\u2019t be backfilled.<\/li>\n\n\n\n
- Broken campaigns<\/strong> \u2014 conversion pixels don\u2019t fire, campaigns can\u2019t be evaluated.<\/li>\n\n\n\n
- Broken debugging<\/strong> \u2014 GTM preview mode requires directives for
tagmanager.google.com<\/code>; without them, debugging doesn\u2019t work.<\/li>\n<\/ul>\n\n\n\nI\u2019ll show how to solve this shortly. But first, it\u2019s important to understand why a poorly configured CSP can be worse than no CSP at all.<\/p>\n\n\n\n
<\/div>\n\n\n\nWhen the Cure Kills: GTM as a Security Risk<\/h2>\n\n\n\n
Security firm Raxis demonstrated an attack<\/a> using a GTM container to bypass both WAF and CSP:<\/p>\n\n\n\n\n- Attacker finds an XSS vulnerability on the site<\/li>\n\n\n\n
- Injects a reference to their own GTM container with a malicious Custom HTML tag<\/li>\n\n\n\n
- The payload lives on
googletagmanager.com<\/code> \u2014 WAF doesn\u2019t flag it, CSP allows it<\/li>\n\n\n\n- Code executes in the page context \u2014 access to cookies, session tokens, forms<\/li>\n<\/ol>\n\n\n\n
Google acknowledged it as an \u201chonorable mention\u201d in the Bug Bounty program. More documented GTM attacks \u2014 including payment data theft from hundreds of e-commerce sites \u2014 in the previous article<\/a>.<\/p>\n\n\n\nThree conditions must be met simultaneously:<\/strong> (1) an XSS vulnerability on the site, (2) CSP without nonce for GTM scripts, (3) unsafe-inline<\/code> or another weak CSP directive. Meet all three? You have a problem.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.sabatka.net\/wp-content\/uploads\/2026\/04\/null-did-you-know.png\")
<\/figure>\n<\/div>\n\n\n\n