[jefftk]

> All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM.

That's what's great about content security policies: put a CSP on the page, and when people try to add scripts without going through proper processes it just won't run.

[e12e]

If you're using Google tag manager, the csp would have to allow scripts from gtm though?

[dylz]

Yes, but it won't allow GTM to load scripts off OTHER domains. It basically re-adds the requirement of engineering gating off 300 different adtech trackers.