dreamzmaster
commented
5 years ago I am facing the same issue, any pointers?
Open DavrosFl opened 5 years ago
dreamzmaster
commented
5 years ago I am facing the same issue, any pointers?
DavrosFl
commented
5 years ago What I found is that GTM is actually the issue. They force you to add unsafe-inline for scripts, so I stopped using GTM. I just use regular analytics instead.
Google's advisory on this topic: https://developers.google.com/tag-manager/web/csp
lovelstn
commented
4 years ago Have tried out this pull request #46 doesnt seem to help me.
webjunkie
commented
4 years ago @lovelstn did you set up nonces correctly? In addition you still need required CSP rules to be set up (see https://developers.google.com/tag-manager/web/csp), but in the end it works for where I use it.
praweb
commented
4 years ago @webjunkie I tried the same as mentioned in that article, but it still errors. Would it be possible to share an example code, describing how you set it. Thank you
Fabiomad85
commented
3 years ago same problem here
mvanderblom
commented
3 years ago Same here. I've also tried this PR: https://github.com/alinemorelli/react-gtm/pull/46 and it does seem to solve the issue. Any chance that PR will merge soon?
carlosoro
commented
3 years ago When the PR: #46 is going to be merged? any time soon?
shubham-bookdepot
commented
3 years ago Following thread resolved this issue:
https://stackoverflow.com/questions/65100704/gtm-not-propagating-nonce-to-custom-html-tags
TagManager.js:59 appears to fail CSP directive that prevents inline scripts. https://github.com/alinemorelli/react-gtm/blob/52f2328ab1b45734c342e9021fe693795a03972d/dist/TagManager.js#L59
My Content-Security-Policy directive is:
script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com;Google's console responds with:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-AmDiJyvKvr94dB5Fpw4fKR7GDBqrf2xZhnMaV3YAPrA='), or a nonce ('nonce-...') is required to enable inline execution.I definitely can't allow 'unsafe-inline' in my app. Any ideas?