Custom template permissions

  • This document explains the permissions required for custom templates in Google Tag Manager and how they are used.

  • Each permission is checked by APIs, automatically detected in JavaScript code, editable in the template editor, and queryable via the queryPermission API.

  • Permissions control access to various resources like global variables, local storage, cookies, URLs, and the data layer, ensuring data security and privacy.

  • Each permission has a display name, description, configuration options, query signature, and example code snippets for implementation.

  • Templates can request access to specific resources by querying for the appropriate permissions, ensuring that only authorized operations are performed.

This document outlines the permissions for Web custom templates.

Each permission is:

  • Checked by APIs that require them.
  • Automatically detected in sandboxed JavaScript, based on what APIs are used. This happens as edits are made in the custom template editor (for a fast feedback loop), and when code is compiled (to validate that the correct permissions are enforced).
  • Editable in the custom template editor, to make the permission more specific.
  • Queryable in sandboxed JavaScript via the queryPermission API.

access_globals

Display name: Accesses global variables

Description: Allows access to a global variable (potentially including sensitive APIs).

Configuration: List of keys that can be accessed. Each key is a dot separated path. For example: foo.bar The first token in each path must not be a predefined key on browser global scope, nor a JavaScript keyword. Has read, write, and execute checkboxes that govern access.

Required by: setInWindow, copyFromWindow, callInWindow, createQueue, createArgumentsQueue

Query signature: queryPermission('access_globals', 'read', <key to read from>) or queryPermission('access_globals', 'write', <key to write to>) or queryPermission('access_globals', 'readwrite', <key to read and write>) or queryPermission('access_globals', 'execute', <key of function to execute>)

Notes: Controls whether a custom template can read and/or write to global values.

Example code

const queryPermission = require('queryPermission');
const createQueue = require('createQueue');
if (queryPermission('access_globals', 'readwrite', 'dataLayer')) {
  const dataLayerPush = createQueue('dataLayer');
}

access_local_storage

Display name: Accesses local storage

Description: Allows access to the specified keys in local storage.

Configuration: List of local storage keys that can be accessed. This is a simple array of keys, with no wildcards. Has read and write checkboxes that govern access.

Required by: localStorage

Query signature: queryPermission('access_local_storage', 'read', <key to read from>) or queryPermission('access_local_storage', 'write', <key to write to>) or queryPermission('access_local_storage', 'readwrite', <key to read and write>)

Example code

const queryPermission = require('queryPermission');
const localStorage = require('localStorage');
const key = 'my_key';
if (queryPermission('access_local_storage', 'read', key)) {
  const value = localStorage.getItem(key);
}

access_template_storage

Display name: Accesses template storage

Description: Allows access to temporary storage for templates that can persist for the lifetime of the page.

Configuration: None

Required by: templateStorage

Query signature: queryPermission('access_template_storage')

Example code

const queryPermission = require('queryPermission');
const templateStorage = require('templateStorage');
const key = 'my_key';
if (queryPermission('access_template_storage')) {
  const value = templateStorage.getItem(key);
}

get_cookies

Display name: Reads cookie value(s)

Description: Reads the values of the cookies with the specified name.

Configuration: List of names of cookies permitted for reading.

Required by: getCookieValues

Query signature: queryPermission('get_cookies', <name>)

Notes: Governs whether a cookie can be read, depending on its name.

Example code

const queryPermission = require('queryPermission');
const getCookieValues = require('getCookieValues');
const cookieName = 'info';
let cookieValues;
if (queryPermission('get_cookies', cookieName)) {
  cookieValues = getCookieValues(cookieName);
}

get_referrer

Display name: Reads referrer URL

Description: Permits read access to narrowed portions of the referrer.

Configuration: The following booleans govern which part of the referrer can be read. A given part of the referrer can only be read if the corresponding part is true. The caller can call getReferrerUrl without a component specified to get the full referrer URL if all these booleans are set to true. If no value is set, the default value is all. If a value is set, the value must be an array of components where a component is one of the following: protocol, host, port, path, query, or extension.

queryKeys: If query is selected, then the template author may further limit the set of query keys they can read from. This is a simple array of keys, with no wildcards.

Required by: getReferrerUrl, getReferrerQueryParameters

Query signature: queryPermission('get_referrer', <url_component>)

Example code

const queryPermission = require('queryPermission');
const getReferrerUrl = require('getReferrerUrl');
let referrer;
if (queryPermission('get_referrer', 'query')) {
  referrer = getReferrerUrl('queryParams');
}

get_url

Display name: Reads URL

Description: Returns part or all of the URL of the current page.

Configuration: The following booleans govern which part of the URL can be read. A given part of the URL can only be read if the corresponding part is true. The caller can call getUrl without a component specified to get the entire URL if and only if all these booleans are set to true. If no value is set, the default value is all. If a value is set, the value must be an array of components where a component is one of the following: protocol, host, port, path, query, extension, or fragment.

queryKeys: If query is selected, then the template author may further limit the set of query keys they can read from. This is a simple array of keys, with no wildcards.

Required by: getUrl

Query signature: queryPermission('get_url', <optional url component>, <optional query key>)

If supplied, Url component should be one of 'protocol', 'host', 'port', 'path', 'query', 'extension', 'fragment'. If omitted, the permission query is a request for access to the whole URL.

If supplied, query key should be the query string argument that the template code wants to read.

Notes: Controls whether a custom template can read from the current location. Allows limiting to a specific part of the location.

Example code

const queryPermission = require('queryPermission');
const getUrl = require('getUrl');
if (queryPermission('get_url', 'query', 'gclid')) {
  const gclid = getUrl('query', false, null, 'gclid');
}

inject_hidden_iframe

Display name: Injects hidden iframes

Description: Injects an invisible iframe with a given URL.

Configuration: List of URL patterns

Required by: injectHiddenIframe

Query signature: queryPermission('inject_hidden_iframe', <url>)

Notes: Governs whether a custom template can inject an invisible iFrame, and from which origin it can do so.

Example code

const queryPermission = require('queryPermission');
const injectHiddenIframe = require('injectHiddenIframe');
const url = 'https://www.example.com/iframes';
if (queryPermission('inject_hidden_iframe', url)) {
  injectHiddenIframe(url);
}

inject_script

Display name: Injects scripts

Description: Injects a script into the page.

Configuration: List of URL patterns

Required by: injectScript

Query signature: queryPermission('inject_script', <url>)

Notes: Governs whether a custom template can inject JavaScript, and from what origin it can do so.

Example code

const queryPermission = require('queryPermission');
const injectScript = require('injectScript');
const url = 'https://www.example.com?api.js';
if (queryPermission('inject_script', url)) {
  injectScript(url);
}

logging

Display name: Logs to console

Description: Logs to the developer console and GTM's preview mode.

Configuration: Option to enable logging in production. Defaults to only enable logging in debug/preview. If permission is denied, logToConsole will not throw an error, but will suppress the log message.

Required by: logToConsole

Query signature: queryPermission('logging')

Notes: Controls whether a custom template can log to the developer console.

Example code

const queryPermission = require('queryPermission');
const logToConsole = require('logToConsole');
// Note that it's fine to call log, since the log call will be ignored if
// logging isn't permitted in the current environment.
logToConsole('diagnostic info');

read_data_layer

Display name: Reads data layer

Description: Reads data from the dataLayer.

Configuration: Set of key match expressions, where a key match can be a leading series of dotted references, with a trailing wildcard. Key match expressions govern which properties may be read from the data layer.

Required by: copyFromDataLayer

Query signature: queryPermission('read_data_layer', <data layer key to read from>)

Notes: Controls whether a custom template can read from the data layer.

Example code

const queryPermission = require('queryPermission');
const copyFromDataLayer = require('copyFromDataLayer');
const dlKey = 'foo.bar';
if (queryPermission('read_data_layer', dlKey)) {
  const dlContents = copyFromDataLayer(dlKey);
}

read_analytics_storage

Display name: Reads analytics storage

Description: This allows templates to read stored analytics data such as Client IDs.

Configuration: None

Required by: readAnalyticsStorage

Query signature: queryPermission('read_analytics_storage')

Notes: Governs whether a custom template can read from analytics storage.

Example code

const queryPermission = require('queryPermission');
const readAnalyticsStorage = require('readAnalyticsStorage');
if (queryPermission('read_analytics_storage')) {
  const value = readAnalyticsStorage();
}

read_character_set

Display name: Reads document character set

Description: Reads document.characterSet.

Configuration: None

Required by: readCharacterSet

Query signature: queryPermission('read_character_set')

Notes: Governs whether a custom template can read document.characterSet.

Example code

const queryPermission = require('queryPermission');
const readCharacterSet = require('readCharacterSet');
if (queryPermission('read_character_set')) {
  const characterSet = readCharacterSet();
}

read_container_data

Display name: Reads container data

Description: Reads data about the container.

Configuration: None

Required by: getContainerVersion

Query signature: queryPermission('read_container_data')

Notes: Controls whether a custom template can read data about the container.

Example code

const queryPermission = require('queryPermission');
const getCookieValues = require('getContainerVersion');
let version;
if (queryPermission('read_container_data')) {
  version = getContainerVersion();
}

read_event_metadata

Display name: Reads event metadata

Description: Reads event metadata in Event Callbacks

Configuration: None

Required by: addEventCallback

Query signature: queryPermission('read_event_metadata')

Notes: Controls whether a custom template can read event metadata in callbacks.

Example code

const queryPermission = require('queryPermission');
const addEventCallback = require('addEventCallback');
if (queryPermission('read_event_metadata')) {
  addEventCallback((containerId, eventMetadata) => {
    // Read event metadata.
  });
}

read_title

Display name: Reads document title

Description: Reads document.title.

Configuration: None

Required by: readTitle

Query signature: queryPermission('read_title')

Notes: Governs whether a custom template can read the document.title.

Example code

const queryPermission = require('queryPermission');
const readTitle = require('readTitle');
if (queryPermission('read_title')) {
  const title = readTitle();
}

send_pixel

Display name: Sends pixels

Description: Sends a GET request to a specified URL. Response is not processed.

Configuration: List of allowed URL patterns.

Required by: sendPixel

Query signature: queryPermission('send_pixel', <url>)

Notes: Governs whether a custom template can send a GET request, and to which origin it can do so.

Example code

const queryPermission = require('queryPermission');
const sendPixel = require('sendPixel');
const url = 'https://www.example.com?foo=3';
if (queryPermission('send_pixel', url)) {
  sendPixel(url);
}

set_cookies

Display name: Sets a cookie

Description: Sets a cookie with the specified name and parameters.

Configuration: A table of allowed cookie names, each with optional restrictions on name, domain, path, secure attribute, and expiration.

Required by: setCookie

Query signature: queryPermission('set_cookies', <name>, <options>)

Notes: Governs whether a cookie can be written, depending on the cookie name, domain, path, secure attribute, and expiration.

Example code

const queryPermission = require('queryPermission');
const setCookie = require('setCookie');
const options = {
  'domain': 'www.example.com',
  'path': '/',
  'max-age': 60*60*24*365,
  'secure': true
};
if (queryPermission('set_cookies', 'info', options)) {
  setCookie('info', 'xyz', options);
}

write_data_layer

Display name: Writes data layer

Description: Writes data to the dataLayer.

Configuration: Set of key match expressions, where a key match can be a leading series of dotted references, with a trailing wildcard. Key match expressions govern which properties may write to the data layer.

Required by: gtagSet

Query signature: queryPermission('write_data_layer', <data layer key to write from>)

Notes: Controls whether a custom template can write to the data layer.

Example code

const queryPermission = require('queryPermission');
const gtagSet = require('gtagSet');
const dlKey = 'foo.bar';
if (queryPermission('write_data_layer', dlKey)) {
  gtagSet({dlKey: 'baz'});
}