Open gettonet opened 3 months ago
This filter was removed because it introduced some security risks.
If you want to alter the container code in any way, you should turn off the container code in plugin options and add your own container code using the GTM4WP_WPACTION_AFTER_CONTAINER_CODE / gtm4wp_after_container_code filter which fires regardless of whether container code is turned on or off in plugin settings.
Just make sure to output the full header script.
Datalayer script is making it impossible to add to CSP as hash, as it is dynamically created and it's different on every page:
<script data-cfasync="false" data-pagespeed-no-defer' . ( $has_html5_support ? ' type="text/javascript"' : '' ) . ( $add_cookiebot_ignore ? ' data-cookieconsent="ignore"' : '' ) . '>';
if ( '' !== $gtm4wp_options[ GTM4WP_OPTION_GTM_CODE ] ) {
$gtm4wp_datalayer_data = array();
$gtm4wp_datalayer_data = (array) apply_filters( GTM4WP_WPFILTER_COMPILE_DATALAYER, $gtm4wp_datalayer_data );
echo '
var dataLayer_content = ' . wp_json_encode( $gtm4wp_datalayer_data, JSON_UNESCAPED_UNICODE | JSON_NUMERIC_CHECK ) . ';';
echo '
' . esc_js( $gtm4wp_datalayer_name ) . '.push( dataLayer_content );';
}
echo '
</script>';
It is not the container itself, as it can be added to CSP as hash. But what to do with datalayer script? Wouldn't it be worth considering adding a filter for nonce?
I can of course.
What about adding a filter like gtm4wp_get_csp_nonce and what is returned is added to the Githubissues.
Hello,
given the fact gtm4wp_get_the_gtm_tag filter is deprecated, we cannot add nonce to gtm4wp scripts and include in website Content Security Policy. Why is this filter deprecated, do you plan to get it back in future releases, or do you recommend some other way of adding the gtm4wp scripts to CSP, apart from creating a hash for every single (dynamic) script?