Open DavrosFl opened 5 years ago
I am facing the same issue, any pointers?
What I found is that GTM is actually the issue. They force you to add unsafe-inline for scripts, so I stopped using GTM. I just use regular analytics instead.
Google's advisory on this topic: https://developers.google.com/tag-manager/web/csp
Have tried out this pull request #46 doesnt seem to help me.
@lovelstn did you set up nonces correctly? In addition you still need required CSP rules to be set up (see https://developers.google.com/tag-manager/web/csp), but in the end it works for where I use it.
@webjunkie I tried the same as mentioned in that article, but it still errors. Would it be possible to share an example code, describing how you set it. Thank you
same problem here
Same here. I've also tried this PR: https://github.com/alinemorelli/react-gtm/pull/46 and it does seem to solve the issue. Any chance that PR will merge soon?
When the PR: #46 is going to be merged? any time soon?
Following thread resolved this issue:
https://stackoverflow.com/questions/65100704/gtm-not-propagating-nonce-to-custom-html-tags
TagManager.js:59 appears to fail CSP directive that prevents inline scripts. https://github.com/alinemorelli/react-gtm/blob/52f2328ab1b45734c342e9021fe693795a03972d/dist/TagManager.js#L59
My Content-Security-Policy directive is:
script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com;
Google's console responds with:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-AmDiJyvKvr94dB5Fpw4fKR7GDBqrf2xZhnMaV3YAPrA='), or a nonce ('nonce-...') is required to enable inline execution.
I definitely can't allow 'unsafe-inline' in my app. Any ideas?