feat(security): add GTM and GA domains to CSP for hosted environments

[waleedlatif1]

Summary

• Add GTM and GA domains to CSP script-src, img-src, connect-src, and frame-src directives
• Updates both buildTimeCSPDirectives and generateRuntimeCSP()
• All additions gated behind isHosted

Follows up on #3993 which added the GTM/GA scripts but missed the CSP allowlisting.

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 7, 2026 8:39pm

[cursor]

PR Summary

Medium Risk
Changes Content Security Policy allowlists to permit additional third-party Google domains in hosted environments, which can affect XSS containment if misconfigured. Scope is limited to CSP generation and gated behind isHosted.

Overview
Updates CSP generation to allow Google Tag Manager and Google Analytics domains when running in hosted mode (isHosted). This extends both build-time directives and the runtime CSP string to include GTM/GA entries in script-src, img-src, connect-src, and frame-src, and adjusts the CSP unit test mocks to include isHosted.

^{Reviewed by Cursor Bugbot for commit 1ce2a2f. Configure here.}

[greptile-apps]

Greptile Summary

This PR follows up on #3993 by adding the missing CSP allowlist entries for Google Tag Manager (GTM) and Google Analytics (GA) in hosted environments. Without these entries, browsers would block GTM/GA resources despite the scripts being loaded, producing CSP violation reports and broken analytics.

• GTM (https://www.googletagmanager.com) and GA (https://www.google-analytics.com) added to script-src and img-src
• Wildcard subdomains (https://*.google-analytics.com, https://*.analytics.google.com) added to connect-src for GA4 collection endpoints
• GTM added to frame-src for the GTM preview/debug iframe
• All four directives updated consistently in both buildTimeCSPDirectives (build time) and generateRuntimeCSP() (runtime middleware), with matching domain sets across both paths
• All additions are correctly gated behind isHosted, leaving self-hosted deployments unaffected
• The gtmImg variable pattern (flagged in a prior review) has been applied correctly alongside gtmScript, gtmConnect, and gtmFrame
• The test file adds isHosted: false to the mock but has no test cases for the isHosted: true code path that exercises the new GTM domains

Confidence Score: 5/5

Safe to merge — the CSP additions are correct, consistent across both policy paths, and properly gated behind isHosted

All GTM/GA domains are identical between buildTimeCSPDirectives and generateRuntimeCSP(), the isHosted gate is applied correctly everywhere, and there are no logic or security regressions. The only remaining finding is P2: missing test coverage for the isHosted: true path, which does not block merge.

csp.test.ts — a separate hosted-mode test file would improve confidence in the new GTM domain additions

Important Files Changed

Filename	Overview
apps/sim/lib/core/security/csp.ts	Adds GTM/GA domains to all four relevant CSP directives in both build-time and runtime paths, consistently gated behind isHosted with matching domain sets across both code paths
apps/sim/lib/core/security/csp.test.ts	Adds isHosted: false to the feature-flags mock, but no test cases cover the isHosted: true path exercising the new GTM/GA domain additions

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CSP header generation] --> B{isHosted?}
    B -->|true| C[Add GTM/GA domains]
    B -->|false| D[Standard CSP only]
    C --> E[script-src\ngoogletagmanager.com\ngoogle-analytics.com]
    C --> F[img-src\ngoogletagmanager.com\ngoogle-analytics.com]
    C --> G[connect-src\ngoogletagmanager.com\n*.google-analytics.com\n*.analytics.google.com]
    C --> H[frame-src\ngoogletagmanager.com]
    E & F & G & H --> I[Final CSP Header]
    D --> I

Loading

_{Reviews (2): Last reviewed commit: "lint" | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1ce2a2f. Configure here.}

[cursor]

CSP img-src uses exact domains instead of wildcards

Medium Severity

The img-src directive uses exact www. domains (https://www.google-analytics.com, https://www.googletagmanager.com) while the connect-src directive in the same PR correctly uses wildcards (https://*.google-analytics.com). Google's official CSP documentation for GA4 explicitly recommends wildcards for img-src too: https://*.google-analytics.com https://*.googletagmanager.com. GA tracking pixels can be served from non-www subdomains (e.g., regional endpoints), which would be blocked by the exact-domain img-src entries. This inconsistency exists in both buildTimeCSPDirectives and gtmImg in generateRuntimeCSP().

Additional Locations (1)

• apps/sim/lib/core/security/csp.ts#L189-L192

 

^{Reviewed by Cursor Bugbot for commit 1ce2a2f. Configure here.}