Securing Google Publisher Tags with Content Security Policy

The Google Publisher Tag (GPT) now supports integrating with a Content-Security-Policy (CSP). Using a CSP, you can precisely control which external sources are allowed to load on your site, on a page-by-page basis. In this way, CSPs help to detect and defend against common web vulnerabilities such as cross site scripting (XSS) attacks.

Although CSPs can be implemented in a number of ways, GPT only supports the strict CSP method, using nonces. For detailed instructions on setting this up, see our guide on Integrating with a Content Security Policy.

A note on existing CSPs

While GPT did not previously support CSPs, we're aware that some publishers worked around this by using CSPs based on an allowlist of domains. As previously mentioned, however, only nonce-based strict CSP implementations are supported. This is due to the fact that the set of domains GPT accesses is subject to change over time.

If you've been using GPT with an allowlist-based CSP, we strongly recommend that you supplement or replace it with a nonce-based strict CSP policy. This will reduce the risk that a future change to GPT may break ad serving on your page.