The Content-Security-Policy (CSP) header is designed to protect your application from malicious attachments in your web applications. To make it simple, you provide a white list of allowed domain roots for all of your images, scripts, styles, etc.
Meanwhile, the marketing team uses Google Tag Manager (GTM) to manage tags. The principle is to collect information from the page, send it to GTM and use this data as variables to generate tags, a combination of JS / HTML templates and these variables.
The problem is that most of these tags contain javascript to send very specific data to the tracker, ad servers, or any other partners. Suppose my marketing team is aware of security risks and will not include a malicious script.
Is there a way to find out which domains are imported by GTM so that they can be automatically added to my CSP?
source share