Restrict tag deployment

Although it's not recommended to restrict the types of tags deployed using Google Tag Manager, for various reasons it might be necessary to restrict the tag types deployed on a site. For instance, some site-owners might not want Google Tag Manager users to be able to add certain tags to their site for code stability or data collection reasons. As such, we've added a tag blacklist feature to Google Tag Manager that can be controlled at snippet installation.

To control which tags, triggers, and variables are allowed on a page, use the gtm.whitelist and/or gtm.blacklist keys in your data layer. These keys will override any and all configuration in the container. When properly blacklisted, tags, triggers, and variables will not fire even if they have been configured to fire in the Google Tag Manager UI.

The following example demonstrates how to initialize the data layer with both a whitelist and a blacklist. Both lists are optional, and you can use them separately or at the same time (as shown). Both lists must be of type Array, and the values in the list must be of type String:

dataLayer = [{
  ...
  'gtm.whitelist': ['<id>', '<id>', ...],
  'gtm.blacklist': ['<id>', '<id>', '<id>', ...]
}];
 

Each ID in the list corresponds to a specific tag, trigger, or variable type, or to a class of types. Classes represent groups of tags, triggers, and variables that have the same capabilities. For example, all tags that can send pixels to non-Google domains will have the class nonGooglePixels. Classes are useful for blocking capabilities in current and future tags, triggers, and variables.

It's important to understand the rules that govern whitelists and blacklists:

  1. Whitelists When a whitelist has been set, relevant tags, triggers, and variables will only execute if they are in the whitelist, either explicitly (by type ID), or implicitly (by having all of their classes in the list).
  2. Blacklists When a blacklist has been set, tags, triggers, and variables will only execute if they are not in the blacklist, either explicitly (by type ID), or implicitly (by having any of their classes in the list).
  3. Blacklists Override Whitelists When both have been set, blacklists take precedence. You can whitelist a class of tags and blacklist a specific tag in that class, but the reverse is not true. You cannot blacklist a class of tags and whitelist a specific tag in that class.
  4. Classes Have Relationships Some classes have relationships with other classes. For example, tags that can run non-Google scripts can (by definition) send non-Google pixels. For this reason, blocking nonGooglePixels will also automatically block nonGoogleScripts. All tags, triggers, and variables that belong to either group will be blocked.

The following table provides a listing of the available tags, triggers, and variables, their types, and the classes that they belong to:

Tag ID Classes
AB TASTY Generic Tag abtGeneric nonGoogleScripts
AdAdvisor Tag ta nonGoogleScripts
Adometry Tag adm google
AdRoll Smart Pixel Tag asp nonGoogleScripts
Google Ads Conversion Tracking Tag awct google
Google Ads Remarketing Tag sp google
Affiliate Window Conversion Tag awc nonGoogleScripts
Affiliate Window Journey Tag awj nonGoogleScripts
Bing Ads Universal Event Tracking baut nonGoogleScripts
Bizrate Insights Buyer Survey Solution bb nonGoogleScripts
Bizrate Insights Site Abandonment Survey Solution bsa nonGoogleScripts
ClickTale Standard Tracking Tag cts nonGoogleScripts
comScore Unified Digital Measurement Tag csm nonGoogleScripts
Conversant Mediaplex - IFRAME MCT Tag mpm nonGoogleIframes
Conversant Mediaplex - Standard IMG ROI Tag mpr nonGooglePixels
Conversion Linker gclidw google
Crazy Egg Tag cegg nonGoogleScripts
Criteo OneTag crto nonGoogleScripts
Custom HTML Tag html customScripts
Custom Image Tag img customPixels
DistroScale Tag dstag nonGoogleScripts
Floodlight Counter Tag flc  
Floodlight Sales Tag fls  
Dstillery Universal Pixel Tag m6d nonGooglePixels
Eulerian Analytics Tag ela customScripts
Google Analytics Tag ga google
Google Consumer Surveys Website Satisfaction gcs google
Google Optimize opt google
Google Trusted Stores Tag ts  
Hotjar Tracking Code hjtc nonGoogleScripts
Infinity Call Tracking Tag infinity nonGoogleScripts
Intent Media - Search Compare Ads sca nonGoogleScripts
K50 tracking tag k50Init nonGoogleScripts
LeadLab ll nonGoogleScripts
LinkedIn Tag bzi nonGoogleScripts
Lytics JS Tag ljs nonGoogleScripts
Marin Software Tag ms nonGoogleScripts
Mediaplex - IFRAME MCT Tag mpm nonGoogleIframes
Mediaplex - Standard IMG ROI Tag mpr nonGooglePixels
Message Mate messagemate nonGoogleScripts
Mouseflow Tag mf nonGoogleScripts
Neustar Pixel ta nonGoogleScripts
Nielsen DCR Static Lite Tag ndcr nonGoogleScripts
Nudge Content Analytics Tag nudge nonGoogleScripts
Oktopost Tracking Code okt nonGoogleScripts
Optimise Conversion Tag omc nonGoogleScripts
OwnerListens Message Mate messagemate nonGoogleScripts
Perfect Audience Pixel pa nonGoogleScripts
Personali Canvas pc nonGoogleScripts
Pinterest pntr nonGoogleScripts
Placed placedPixel nonGoogleScripts
Pulse Insights Voice of Customer Platform pijs nonGoogleScripts
Quantcast Audience Measurement qcm nonGoogleScripts
Quora Pixel qpx nonGoogleScripts
Rawsoft FoxMetrics fxm nonGoogleScripts
SaleCycle JavaScript Tag scjs customScripts
SaleCycle Pixel Tag scp customPixels
SearchForce JavaScript Tracking for Conversion Page sfc nonGoogleScripts
SearchForce JavaScript Tracking for Landing Page sfl nonGoogleScripts
SearchForce Redirection Tracking Tag sfr nonGooglePixels
Shareaholic shareaholic nonGoogleScripts
Survicate Widget svw nonGoogleScripts
Tradedoubler Lead Conversion Tag tdlc nonGooglePixels
Tradedoubler Sale Conversion Tag tdsc nonGooglePixels
Turn Conversion Tracking Tag tc nonGoogleScripts
Turn Data Collection Tag tdc nonGoogleScripts
Twitter Universal Website Tag twitter_website_tag nonGoogleScripts
Universal Analytics Tag ua google
Upsellit Global Footer Tag uslt customScripts
Upsellit Confirmation Tag uspt customScripts
Ve Interactive JavaScript Tag vei nonGoogleScripts
Ve Interactive Pixel veip nonGooglePixels
VisualDNA Conversion Tag vdc nonGoogleScripts
Xtremepush xpsh nonGoogleScripts
Yieldify yieldify nonGoogleScripts
Zones zone  
Trigger ID Classes
Element Visibility Listener/Trigger evl google
Click Listener/Trigger cl google
Form Submit Listener/Trigger fsl  
History Listener/Trigger hl google
JavaScript Error Listener/Trigger jel google
Link Click Listener/Trigger lcl  
Scroll Depth Listener/Trigger sdl google
Timer Listener/Trigger tl google
YouTube Video Listener/Trigger ytl google
Variable ID Classes
1st Party Cookie k google
Auto-Event Variable v google
Constant c google
Container Version Number ctv google
Custom Event e google
Custom JavaScript Variable jsm customScripts
Data Layer Variable v google
Debug Mode dbg google
DOM Element d google
Element Visibility vis google
HTTP Referrer f google
JavaScript Variable j google
Lookup Table smm google
Random Number r google
RegEx Table remm google
URL u google

The following table provides a listing of the available classes and their relationships to other classes. The Whitelisted Automatically column represents the list of classes that will be implicitly whitelisted when the class from that row is whitelisted. Likewise, the Blacklisted Automatically column represents the list of classes that will be implicitly blacklisted when the class from that row is blacklisted.

Class Description Whitelisted Automatically Blacklisted Automatically
customPixels Capable of sending pixels to URLs defined by the user. nonGooglePixels customScripts
html
customScripts Capable of running JavaScript code provided by the user. html
customPixels
nonGooglePixels
nonGoogleScripts
nonGoogleIframes
html
google Only capable of running Google hosted scripts and sending pixels to Google.    
html Alias for customScripts. Note that this is also the ID for the Custom HTML tag. This ensures that legacy users also get the benefits of the customScripts class. customScripts
customPixels
nonGooglePixels
nonGoogleScripts
nonGoogleIframes
customScripts
nonGooglePixels Capable of sending pixels to non-Google domains.   customPixels
customScripts
html
nonGoogleScripts
nonGoogleIframes
nonGoogleScripts Capable of running scripts not provided by Google. nonGooglePixels
customScripts
html
nonGoogleIframes Capable of injecting iframes from non-Google domains. nonGooglePixels
customScripts
html
nonGoogleScripts
sandboxedScripts Sandboxed JavaScript used as part of custom templates. None None