*> All the processes and knowledge were in place to make sure all considerations... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jefftk on July 3, 2020 \| parent \| context \| favorite \| on: Barclays Bank Using Internet Archive as CDN for Ja... > All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM. That's what's great about content security policies: put a CSP on the page, and when people try to add scripts without going through proper processes it just won't run.

e12e on July 3, 2020 [–]

If you're using Google tag manager, the csp would have to allow scripts from gtm though?

dylz on July 3, 2020 | [–]

Yes, but it won't allow GTM to load scripts off OTHER domains. It basically re-adds the requirement of engineering gating off 300 different adtech trackers.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact