I studied the use of Google Tag Manager on my website, but I did not deal with the first obstacle due to the fact that the Google enable code was blocked by default by installing mod-security on my server:
Standard GTM includes the code:
<noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-XXXXXX"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-XXXXXX');</script>
Reply from mod-security:
WARNING: Possibly malicious iframe tag in output
Message: Outbound Anomaly Score Exceeded (score 15): Possibly malicious iframe tag in output
Called rules: identifiers 981000 and 981001.
I can understand why mod-security might think that an iframe with "display: none; visibility: hidden" could be malicious, and removing the style attribute terminates rule 981001, but the request still fails due to rule 981000.
981000 seems to have a strong opinion on what the width and height attributes should be, but I tried setting them to "1" and "10" to no avail: - (
- , iframe, ? GTM , iframe?
PS: , , noscript, , .
PPS: , 981000, , ; -)
Pattern match "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?["']?[^"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)"