You can configure a policy script that limits the permissions of the server-side container. This page shows you how to configure a policy file for your container. These instructions assume you are already familiar with custom template policies for Tag Manager.
A server-side policy file is a JavaScript file that uses gtag.js syntax to define and register one or more policies.
Create a JavaScript file that creates and registers one or more policies. Each policy function is registered for a specific permission or for all permissions. A policy function rejects a permission request when it returns false or throws an exception. For example:
gtag('policy', 'all', function(container, policy, data) { // This function will run for every permission check. Return true to // allow the permission check. Return false or throw an exception to // deny the permission check. // container is the container id (e.g. GTM-ABC123) // policy is the permission type (e.g. get_cookies) // data is an object containing data about the permission request // This policy applies to only one container. This check allows the // same policy file to apply to more than one Tag Manager server // container. if (container !== 'GTM-ABC123') return true; // Since this code runs on all permission checks, conditionally check // the permission type and decide to permit or deny the permission. switch (policy) { // Container GTM-ABC123 can send HTTP requests. Everything else is // prohibited. case 'send_http': return true; // All other permission requests are denied. default: return false; } }); gtag('policy', 'get_cookies', function(container, policy, data) { // This function will run for checks on the get_cookies permission. // Deny all permission checks to read cookies except for the 'user_id' // cookie. This check applies to all containers that load this policy // file. return data.name === 'user_id'; });Host the JavaScript file at a publicly accessible HTTPS URL. The file may be hosted on any web server, but the steps below describe how to host it in a Google Cloud Storage Bucket.
- Go to console.cloud.google.com and select your project at the top of the page.
- Select Storage -> Browser from the left hand navigation.
- Click Create bucket.
- Follow the steps to create the bucket. For Access control, select Fine-grained.
- Click Upload files, and upload your policy JavaScript file.
- Once the file has uploaded, click on the file name, then select Edit Permissions.
- Click Add entry with:
- Entity: Public
- Name: allUsers
- Access: Reader
- Click Save.
- Click
to return to the previous page. - In the line for the policy file, click Copy URL.
Follow the steps in Create or Reconfigure a Tagging Server to modify your tagging server configuration. When prompted for a policy URL, enter the URL from step 2.