Until about a year ago I was working as a FE developer for a major intenrnational bank.
All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM. During my 18 months there, there were numerous issues (thankfully not security issues - at least that we know of) indroduced via this method inc a full outage of the customer onboarding journey.
I see GTM being used (abused?) by marketing teams regularly, but I'm really surprised that a bank with its own development team would allow it.
It is really powerful and sometimes incredibly useful in some scenarios (e.g I once built a schema.org metadata system that scraped the pages on the fly for a site with a broken CMS). Simo Ahava does clever things with it.
But from what I can tell, it seems to be a way of avoiding communication between teams, or a political power grab inside bigger companies - a parallel CMS. And the silly bit is that it's normally not doing much more than could be achieved by copy and pasting a few lines of code into a template.
I was once investigating "partner reporting that our embed loads slowly". The investigation result was something like: their HTML injects JS, which injects another JS, which injects GTM, which injects an SDK, which injects the embed.
Of course it all loads only when the user does not have any adblocking or tracking protections enabled.
It's a Google backdoor for your team to add more tracking etc.
The important point is that it's a backdoor for marketing (and adtech) teams to get around developer/security requirements. At some point, someone on those teams gets frustrated that their one-line code requests (just load this script! add a gif banner here!) keep falling behind in the backlog. That happens in part because the product team often doesn't care about marketing, and sometimes because developers know that "just one more script!" paves the road to hell. At some point the third-party that's trying to get their business going through your business convinces the marketing team to add GTM, the marketing team says to the dev team "Hey we need GTM to implement THIS script". This time, because the other side has promised them $$$ in terms ROI, the marketing team pushes really hard for it, and eventually a product manager approves the request to get them off their back. The rest, as they say, is history (at retro time, multiple times down the road).
Well the clue's in the name. But I'd argue that Google analysing metadata about who's loading what/when through GTM is a lesser evil, when compared to normalising everyone sticking megabytes of mystery scripts on their sites with the tool.
I'd say 'frontdoor' given that the standard first tag to implement is Google Analytics. But I am sure they also generate some data for their own use about the number and types of tags that each site is adding via GTM.
You can tell by the URL path (it's under /content/dam) that it's served by Adobe Experience Manager (Adobe's CMS, dam stands for digital asset manager, where you store static assets like images and js). The script itself is "target.js", which is Adobe Target - their A/B framework - which "supports custom code insertion"[1] similar to a tag manager.
It's not GTM, but this is like loading the GTM script itself from archive.org.
It's worth noting that AEM is often very badly set up, following requirements from managers who have no idea or concern about web development, and later maintained by low cost content editors who barely know some HTML. Moreover, this CMS seems to be a standard for big sites even though the licenses are costly, development is slow and complicated, and it adds a lot of human hours to the site maintenance.
> All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM.
That's what's great about content security policies: put a CSP on the page, and when people try to add scripts without going through proper processes it just won't run.
Yes, but it won't allow GTM to load scripts off OTHER domains. It basically re-adds the requirement of engineering gating off 300 different adtech trackers.
I work for a large media comp and this is exactly the reason we don't give editors access to GTM (or even all developers), nor do we allow tools such as Optimizely intended for A/B testing, and we went away from letting them paste HTML into articles to include custom elements.
Unfortunately, we still have lots of 3rd party stuff in GTM, and technically any ad can run random js on our sites. Thats where most problems come from these days.
Editors still technically have the power to brick a given site through our old inhouse CMS which has no proper access control levels, hopefully not for long...
> technically any ad can run random js on our sites
If you configure your ad network to run all ads cross-domain, then they are very limited. For example, in GPT (which I work on) you call "googletag.pubads().setForceSafeFrame(true)".
"customer onboarding journey" sounds altogether twee for a major international bank. Banks are mattresses with insurance policies. Why is there even a journey to be broken?
Because they have to know who you are in a fair bit of detail both to comply with the law and to know who they should let take money out of the account. Because they need you to agree to a bunch of contacts. Because they need to get you things like a bank card. Because they need to decide if they want to lend you money (most often in the form of a credit card). And so on and so forth.
All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM. During my 18 months there, there were numerous issues (thankfully not security issues - at least that we know of) indroduced via this method inc a full outage of the customer onboarding journey.