react-gtm
react-gtm copied to clipboard
alinemorelli
Violation of Content Security Policy directive script-src that disables inline scripts
TagManager.js:59 appears to fail CSP directive that prevents inline scripts. https://github.com/alinemorelli/react-gtm/blob/52f2328ab1b45734c342e9021fe693795a03972d/dist/TagManager.js#L59
My Content-Security-Policy directive is:
script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com;
Google's console responds with:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-AmDiJyvKvr94dB5Fpw4fKR7GDBqrf2xZhnMaV3YAPrA='), or a nonce ('nonce-...') is required to enable inline execution.
I definitely can't allow 'unsafe-inline' in my app. Any ideas?
What I found is that GTM is actually the issue. They force you to add unsafe-inline for scripts, so I stopped using GTM. I just use regular analytics instead.
Google's advisory on this topic: https://developers.google.com/tag-manager/web/csp
@lovelstn did you set up nonces correctly? In addition you still need required CSP rules to be set up (see https://developers.google.com/tag-manager/web/csp), but in the end it works for where I use it.
@webjunkie I tried the same as mentioned in that article, but it still errors. Would it be possible to share an example code, describing how you set it. Thank you
Same here. I've also tried this PR: https://github.com/alinemorelli/react-gtm/pull/46 and it does seem to solve the issue. Any chance that PR will merge soon?
Following thread resolved this issue:
https://stackoverflow.com/questions/65100704/gtm-not-propagating-nonce-to-custom-html-tags
