Jump to content
Welcome to our new Citrix community!

googletagmanager.com tracking


Recommended Posts

Hi,

 

our Security Office is asking to disable all the Storefront and Receiver communications to *.Citrix.com and *.googletagmanager.com. I can not find an informations how to do that.

Only one other article i found to this topic https://discussions.citrix.com/topic/406351-html5-receiver-still-active-googletagmanagercom-tracking-gdpr-problem/ but the Question to Citrix is still open.

 

Storefront Version: 1912.0.0.40 / HTML5_19.12..0.4102

Link to comment
Share on other sites

Hi tklemmi,
you can use a rewrite policy within your Citrix ADC to set the HTTP Header 'Content Security Policy' to prevent the client to access https://www.googletagmanager.com. This does not work with all browsers, but with many (Check https://caniuse.com/#search=content security Policy ).

 

It is some annoying work to build a CSP for ADC Gateway & Storefront and you maybe have to correct it after customizing your Portal theme or after applying a new firmware or update. But it will provide some additional security to your clients since it will mitigate cross site scripting.

 

The directive 'script-src' will block the access to the GoogleTagManager. Check the separate CSP directives and their use case here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy .

 

A CSP Policy will look like that:
default-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-hashes' 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog=' 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='; script-src 'self' 'sha256-rlo4brH3WMD4glS8y2bOc83V5Rx/IXjJOlEdstHn8gc=' 'sha256-0Q0k+0y9ZyFw0DwHIch5U+iV2SPHYxOFxzANxUpzUEo='; connect-src 'self'; frame-ancestors 'self'; base-uri 'none'; form-action 'none'; font-src 'self'

 

Do you see the four 'sha256-...' values? There are some styles and scripts used by the ADC which need to be whitelisted. There are many more and this four are only examples to see the syntax.

 

You can use this template to start your own CSP Policy:
default-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-hashes'; script-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'none'; form-action 'none'; font-src 'self'

 

Build your CSP Policy and bind it to your Citrix ADC or Storefront LB. The best web browser to build a CSP step by step is Google Chrome/Microsoft Edge. Open the developer tools (F12) and access your ADC Gateway. Check the tab 'console'. You will now see many entries with blocked scripts and styles. Copy their 'sha256-...' values step by step and complete your CSP policy until there are no block messages left. You also need to authenticate and logoff to see all used styles/scripts! There are some other ways to build a CSP without the web browser, like setting up the report-uri.

 

Check the first entry, it will look like that:
Refused to load the script 'https://www.googletagmanager.com/gtm.js?id=GTM-5JRN5ZC' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

 

Jump to the network tab in the developer tools. You will see a blocked request to GoogleTagManager!

 

 

Rewrite Action:
Name: act_rw_INSERT_HTTP_HEADER_Content-Security-Policy_ADC
Type: INSERT_HTTP_HEADER
Header Name: Content-Security-Policy
Expression (Example policy):
"default-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-hashes'; script-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'none'; form-action 'none'; font-src 'self'"

 

Hint: The number of characters in a ADC expression is limited. If your expression is longer than the number of characters allowed, split the expression in this way:

"default-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-hashes';"+" script-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'none'; form-action 'none'; font-src 'self'"


Rewrite Policy:
Name: pol_rw_INSERT_HTTP_HEADER_Content-Security-Policy_ADC
Action: act_rw_INSERT_HTTP_HEADER_Content-Security-Policy_ADC
Expression Examples:
- HTTP.REQ.HOSTNAME.EQ("Hostname")
- HTTP.RES.HEADER("Content-Security-Policy").EXISTS.NOT
- true

 

It is no best practice to use 'unsafe-hashes' in your CSP, but i don´t know any other way to whitelist this styles.

 

It would be nice if Citrix would make ADC Gateway CSP capable. Please rewrite your Code that we don´t need to whitelist hashes or need to use unsafe parameters. Maybe it could be only one click to enable a CSP...

 

Best regards,
Jens

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...