Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk

[SquanchIt]

Server operating system version

Ubuntu 22.04.5 LTS

Plesk version and microupdate number

Plesk Obsidian v18.0.68_build1800250311.08

Hello everyone,


I'm experiencing an issue with my website. A Comodo WAF rule (ID 214540) is blocking my homepage by flagging a standard, legitimate Google Tag Manager (GTM) noscript iframe, which is causing a 403 error.

[client [client IP]] ModSecurity: Access denied with code 403 (phase 4). Match of "rx \\ssrc=\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\ssrc=\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\?url=" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/19_Outgoing_FilterInFrame.conf"] [line "14"] [id "214540"] [msg "COMODO WAF: Possibly malicious iframe tag in output||[your-domain.com]|F|3"] [data "Matched Data: <iframe style='display:none found within TX:0: <iframe style='display:none"] [unique_id "[unique id]"]

The offending GTM code on the page is standard and looks like this:

<noscript>
<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-XXXXXXX" height="0" width="0" style="display:none;visibility:hidden" aria-hidden="true"></iframe>
</noscript>

I've tried several custom ModSecurity exception rules in the HTTPS Apache directives:

SecRule RESPONSE_BODY "@contains googletagmanager.com/ns.html?id=GTM" "phase:4,pass,nolog,ctl:ruleRemoveById=214540,id:1000001"

SecRule RESPONSE_BODY "@rx <iframe\s+[^>]*src=[\"']https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM" "phase:4,pass,nolog,ctl:ruleRemoveById=214540,id:1000001,t:none"

Despite adding these rules under HTTPS, the GTM noscript iframe still triggers rule 214540, and I continue to see 403 errors. The error log indicates that the match is on a generic fragment (<iframe style='display:none), suggesting that the offending rule might be triggering before the full GTM URL is captured—or my custom exception isn’t loaded in the proper order.


Has anyone experienced similar issues or have suggestions on how to effectively whitelist the legitimate GTM noscript iframe without disabling the entire rule? I'm particularly interested in ensuring that my custom exception is loaded after the Comodo rules in the HTTPS configuration.


Thank you in advance for your help!

 

[alvarezcruz]

I have no clue about ModSec syntax, sorry for being useless there. I just wanted to suggest changing the ruleset to something else. Comodo is very inactive, and they haven't updated their ruleset in a while. It's possible this won't be a problem with a more actively developed ruleset like Atomic.