New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/pkgsite: Google Tag Manager is loaded twice #40321
Comments
That change was made in golang/pkgsite@1940919. The author didn't appreciate the meaning of We still have the problem that we can't use nonces, so I'm not sure how to generate the iframe securely. |
Change https://golang.org/cl/243858 mentions this issue: |
There was an attempt to create a noscript tag, which only runs when JS is disabled, using JS. Remove it. For golang/go#40321. Change-Id: I99c02810ed7c299fb606259823ef9b764c525bb6 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/243858 Reviewed-by: Julie Qiu <julie@golang.org>
I am not the expert, but I think you can use nonces, as long as you wire them through the template so they only get applied where you intend them to be applied. I can review a CL that introduces nonces if you'd like. |
My understanding (from @empijei) is that the nonce isn't necessary. But there is another problem with restoring the noscript iframe: the GTM ID is now in the DOM (rather than part of the template data). Can it be accessed without JS? |
Change https://golang.org/cl/245557 mentions this issue: |
Can we include it in the template data? |
There was a reason we removed it in the first place...not sure what it was. |
The following snippet:
Is meant to replace the following:
However, the
<noscript>
tag is explicitly a fallback for when JavaScript is not available, so replacing it with JavaScript doesn’t achieve its desired purpose (and ends up loading the GTM snippet again within the iframe).As I understand it, this was done for security reasons.
/cc @jba @jamalc
The text was updated successfully, but these errors were encountered: