Forge and CSP - handling Google Tag Manager and Survicate

Hi, we are using Google Tag Manager and Survicate for our Forge apps, however, after reading Security requirements for cloud applications we started to have concerns that due to Atlassian policies regarding CSP requirements (especially for the Forge application, where it says Platform Supported) the communication with external services through GTM script may be somehow blocked or hindered.

Right now it is all running smoothly as we have added google and survicate domains to permissions for external scripts in manifest.yml and following CSP requirements, but the question is: if it is going to change somehow for Forge apps in the future? or maybe Forge will automatically handle the problem itself?

In our manifest we have:

external:
scripts:

  • “*.googletagmanager.com”
  • “*.analytics.google.com”
  • “*.google-analytics.com”
  • “*.survicate.com”
    content:
    styles:
  • unsafe-inline
    scripts:
  • unsafe-inline
  • unsafe-eval

thanks

1 Like