Configure a sandboxed JavaScript policy

You can configure a policy script that limits the permissions of the server-side container. This page shows you how to configure a policy file for your container. These instructions assume you are already familiar with custom template policies for Tag Manager.

A server-side policy file is a JavaScript file that uses gtag.js syntax to define and register one or more policies.

  1. Create a JavaScript file that creates and registers one or more policies. Each policy function is registered for a specific permission or for all permissions. A policy function rejects a permission request when it returns false or throws an exception. For example:

    gtag('policy', 'all', function(container, policy, data) {
      // This function will run for every permission check. Return true to
      // allow the permission check. Return false or throw an exception to
      // deny the permission check.
      // container is the container id (e.g. GTM-ABC123)
      // policy is the permission type (e.g. get_cookies)
      // data is an object containing data about the permission request
      // This policy applies to only one container. This check allows the
      // same policy file to apply to more than one Tag Manager server
      // container.
      if (container !== 'GTM-ABC123') return true;
      // Since this code runs on all permission checks, conditionally check
      // the permission type and decide to permit or deny the permission.
      switch (policy) {
        // Container GTM-ABC123 can send HTTP requests. Everything else is
        // prohibited.
        case 'send_http':
          return true;
        // All other permission requests are denied.
          return false;
    gtag('policy', 'get_cookies', function(container, policy, data) {
      // This function will run for checks on the get_cookies permission.
      // Deny all permission checks to read cookies except for the 'user_id'
      // cookie. This check applies to all containers that load this policy
      // file.
      return === 'user_id';
  2. Host the JavaScript file at a publicly accessible HTTPS URL. The file may be hosted on any web server, but the steps below describe how to host it in a Google Cloud Storage Bucket.

    1. Go to and select your project at the top of the page.
    2. Select Storage -> Browser from the left hand navigation.
    3. Click Create bucket.
    4. Follow the steps to create the bucket. For Access control, select Fine-grained.
    5. Click Upload files, and upload your policy JavaScript file.
    6. Once the file has uploaded, click on the file name, then select Edit Permissions.
    7. Click Add entry with:
      • Entity: Public
      • Name: allUsers
      • Access: Reader
    8. Click Save.
    9. Click the back arrow to return to the previous page.
    10. In the line for the policy file, click Copy URL.
  3. Follow the steps in Create or Reconfigure a Tagging Server to modify your tagging server configuration. When prompted for a policy URL, enter the URL from step 2.