π The bug
Visit the site from a region where the user's local Google domain is non-.com (e.g. Taiwan β google.com.tw, Japan β google.co.jp, Hong Kong β google.com.hk). Observe in the browser network tab:
GET /_scripts/p/www.google.com.tw/ads/ga-audiences?v=1&t=sr&...
β 403 Forbidden
{
"statusCode": 403,
"statusMessage": "Domain not allowed",
"message": "Proxy domain not in allowlist: www.google.com.tw"
}
π οΈ To reproduce
https://stackblitz.com/edit/nuxt-starter-neoa1abj?file=nuxt.config.ts
π Expected behavior
GA proxy works no matter visitor region
βΉοΈ Additional context
gtag.js fires the ga-audiences remarketing beacon to the user's localized Google domain (www.google.<cctld>/ads/ga-audiences) when the GA property is linked to Google Ads. The TLD is chosen client-side based on the user's geo, so the set of hostnames is open-ended (dozens of cctlds).
The proxy allowlist for googleAnalytics is hardcoded in src/registry/google-analytics.ts (built into dist/registry.mjs:670 in 1.0.2):
domains: [
"www.google-analytics.com",
"analytics.google.com",
"stats.g.doubleclick.net",
"pagead2.googlesyndication.com",
"www.googleadservices.com",
"googleads.g.doubleclick.net",
"www.google.com",
"www.googletagmanager.com",
],
www.google.com is present, but no regional cctlds are. The runtime check in src/runtime/server/proxy-handler.ts (dist/runtime/server/proxy-handler.js:53-66) does:
if (domain === configDomain || domain.endsWith(`.${configDomain}`)) { ... }
Since www.google.com.tw neither equals nor ends with .www.google.com, every ga-audiences ping from non US visitors is rejected. For sites with significant non-US traffic this silently kills the Google Ads remarketing-audience signal.
π The bug
Visit the site from a region where the user's local Google domain is non-.com (e.g. Taiwan β google.com.tw, Japan β google.co.jp, Hong Kong β google.com.hk). Observe in the browser network tab:
π οΈ To reproduce
https://stackblitz.com/edit/nuxt-starter-neoa1abj?file=nuxt.config.ts
π Expected behavior
GA proxy works no matter visitor region
βΉοΈ Additional context
gtag.js fires the ga-audiences remarketing beacon to the user's localized Google domain (
www.google.<cctld>/ads/ga-audiences) when the GA property is linked to Google Ads. The TLD is chosen client-side based on the user's geo, so the set of hostnames is open-ended (dozens of cctlds).The proxy allowlist for googleAnalytics is hardcoded in
src/registry/google-analytics.ts(built intodist/registry.mjs:670in 1.0.2):www.google.com is present, but no regional cctlds are. The runtime check in
src/runtime/server/proxy-handler.ts(dist/runtime/server/proxy-handler.js:53-66) does:Since www.google.com.tw neither equals nor ends with .www.google.com, every ga-audiences ping from non US visitors is rejected. For sites with significant non-US traffic this silently kills the Google Ads remarketing-audience signal.