alphagov · brucebolt · Sep 4, 2020 · Sep 4, 2020 · Sep 4, 2020 · Sep 4, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# Unreleased
+
+* Add www.googletagmanager.com and www.gstatic.com to Content Security Policy (https://github.com/alphagov/govuk_app_config/pull/153)
+
 # 2.2.1
 
 * Fix linting issues (https://github.com/alphagov/govuk_app_config/pull/149)

diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -17,7 +17,10 @@ module GovukContentSecurityPolicy
 
   GOOGLE_ANALYTICS_DOMAINS = %w[www.google-analytics.com
                                 ssl.google-analytics.com
-                                stats.g.doubleclick.net].freeze
+                                stats.g.doubleclick.net
+                                www.googletagmanager.com].freeze
+
+  GOOGLE_STATIC_DOMAINS = %w[www.gstatic.com].freeze
 
   def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
@@ -35,6 +38,7 @@ def self.build_policy(policy)
     policy.script_src :self,
                       *GOVUK_DOMAINS,
                       *GOOGLE_ANALYTICS_DOMAINS,
+                      *GOOGLE_STATIC_DOMAINS,
                       # Allow JSONP call to Verify to check whether the user is logged in
                       "www.signin.service.gov.uk",
                       # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
@@ -51,6 +55,7 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
     policy.style_src :self,
                      *GOVUK_DOMAINS,
+                     *GOOGLE_STATIC_DOMAINS,
                      # We use the `style=""` attribute on some HTML elements
                      :unsafe_inline