Stay organized with collections
Save and categorize content based on your preferences.
You can configure a policy script that limits the permissions of the server-side container. This page shows you how to configure a policy file for your container. These instructions assume you are already familiar with custom template policies for Tag Manager.
A server-side policy file is a JavaScript file that uses gtag.js syntax to define and register one or more policies.
Create a JavaScript file that creates and registers one or more policies. Each policy function is registered for a specific permission or for all permissions. A policy function rejects a permission request when it returns false or throws an exception. For example:
Host the JavaScript file at a publicly accessible HTTPS URL. The file may be hosted on any web server, but the steps below describe how to host it in a Google Cloud Storage Bucket.
Select Storage -> Browser from the left hand navigation.
Click Create bucket.
Follow the steps to create the bucket. For Access control, select Fine-grained.
Click Upload files, and upload your policy JavaScript file.
Once the file has uploaded, click on the file name, then select Edit Permissions.
Click Add entry with:
Entity: Public
Name: allUsers
Access: Reader
Click Save.
Click to return to the previous page.
In the line for the policy file, click Copy URL.
Follow the steps in Create or Reconfigure a Tagging Server to modify your tagging server configuration. When prompted for a policy URL, enter the URL from step 2.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-09 UTC."],[[["\u003cp\u003eServer-side container permissions can be controlled using a custom policy script written in JavaScript with gtag.js syntax.\u003c/p\u003e\n"],["\u003cp\u003eThe policy script defines functions that grant or deny specific permissions, such as sending HTTP requests or reading cookies, based on conditions like container ID or data access requests.\u003c/p\u003e\n"],["\u003cp\u003eTo implement the policy, host the script file at a publicly accessible HTTPS URL, for example, using a Google Cloud Storage Bucket, and provide this URL during Tagging Server configuration.\u003c/p\u003e\n"]]],["A policy file, using gtag.js syntax, defines server-side container permissions. Create a JavaScript file containing `gtag('policy', ...)` functions to register these policies, which can allow or deny specific permissions based on the container ID, permission type, and request data. Host this file at a publicly accessible HTTPS URL, such as on Google Cloud Storage, setting public read access. Then, configure your tagging server, providing the policy file's URL to apply the defined policies.\n"],null,["# Configure a sandboxed JavaScript policy\n\nYou can configure a policy script that limits the permissions of the server-side container. This page shows you how to configure a policy file for your container. These instructions assume you are already familiar with [custom template policies](/tag-platform/tag-manager/templates/policies) for Tag Manager.\n\nA server-side policy file is a JavaScript file that uses gtag.js syntax to define and register one or more policies.\n\n1. Create a JavaScript file that creates and registers one or more policies. Each policy function is registered for a specific permission or for all permissions. A policy function rejects a permission request when it returns false or throws an exception. For example:\n\n gtag('policy', 'all', function(container, policy, data) {\n // This function will run for every permission check. Return true to\n // allow the permission check. Return false or throw an exception to\n // deny the permission check.\n\n // container is the container id (e.g. GTM-ABC123)\n // policy is the permission type (e.g. get_cookies)\n // data is an object containing data about the permission request\n\n // This policy applies to only one container. This check allows the\n // same policy file to apply to more than one Tag Manager server\n // container.\n if (container !== 'GTM-ABC123') return true;\n\n // Since this code runs on all permission checks, conditionally check\n // the permission type and decide to permit or deny the permission.\n switch (policy) {\n\n // Container GTM-ABC123 can send HTTP requests. Everything else is\n // prohibited.\n case 'send_http':\n return true;\n\n // All other permission requests are denied.\n default:\n return false;\n }\n });\n\n gtag('policy', 'get_cookies', function(container, policy, data) {\n // This function will run for checks on the get_cookies permission.\n\n // Deny all permission checks to read cookies except for the 'user_id'\n // cookie. This check applies to all containers that load this policy\n // file.\n return data.name === 'user_id';\n });\n\n2. Host the JavaScript file at a publicly accessible HTTPS URL. The file may be hosted on any web server, but the steps below describe how to host it in a Google Cloud Storage Bucket.\n\n 1. Go to [console.cloud.google.com](https://console.cloud.google.com) and select your project at the top of the page.\n 2. Select ***Storage -\\\u003e Browser*** from the left hand navigation.\n 3. Click **Create bucket**.\n 4. Follow the steps to create the bucket. For **Access control** , select **Fine-grained**.\n 5. Click **Upload files**, and upload your policy JavaScript file.\n 6. Once the file has uploaded, click on the file name, then select **Edit Permissions**.\n 7. Click **Add entry** with:\n - Entity: Public\n - Name: allUsers\n - Access: Reader\n 8. Click **Save**.\n 9. Click to return to the previous page.\n 10. In the line for the policy file, click **Copy URL**.\n3. Follow the steps in [Create or Reconfigure a Tagging Server](/tag-platform/tag-manager/server-side/app-engine-setup#step-2) to modify your tagging server configuration. When prompted for a policy URL, enter the URL from step 2."]]
to return to the previous page.