Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Violation of Content Security Policy directive script-src that disables inline scripts #41

Open
DavrosFl opened this issue Oct 2, 2019 · 9 comments
Open

Violation of Content Security Policy directive script-src that disables inline scripts #41

DavrosFl opened this issue Oct 2, 2019 · 9 comments

Comments

@DavrosFl
Copy link

DavrosFl commented Oct 2, 2019

TagManager.js:59 appears to fail CSP directive that prevents inline scripts.

react-gtm/dist/TagManager.js

Line 59 in 52f2328

document.head.insertBefore(gtm.script(), document.head.childNodes[0]);

My Content-Security-Policy directive is:
script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com;

Google's console responds with:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://*.googletagmanager.com https://*.googleapis.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-AmDiJyvKvr94dB5Fpw4fKR7GDBqrf2xZhnMaV3YAPrA='), or a nonce ('nonce-...') is required to enable inline execution.

I definitely can't allow 'unsafe-inline' in my app. Any ideas?
@dreamzmaster
Copy link

I am facing the same issue, any pointers?

@DavrosFl
Copy link
Author

What I found is that GTM is actually the issue. They force you to add unsafe-inline for scripts, so I stopped using GTM. I just use regular analytics instead.

Google's advisory on this topic: https://developers.google.com/tag-manager/web/csp

@webjunkie webjunkie mentioned this issue Nov 21, 2019
Closed
@lovelstn
Copy link

Have tried out this pull request #46 doesnt seem to help me.

@webjunkie
Copy link

webjunkie commented Dec 3, 2019
edited
Loading

@lovelstn did you set up nonces correctly? In addition you still need required CSP rules to be set up (see https://developers.google.com/tag-manager/web/csp), but in the end it works for where I use it.

@praweb
Copy link

praweb commented Jun 4, 2020

@webjunkie I tried the same as mentioned in that article, but it still errors. Would it be possible to share an example code, describing how you set it. Thank you

@Fabiomad85
Copy link

same problem here

@mvanderblom
Copy link

mvanderblom commented Apr 14, 2021
edited
Loading

Same here. I've also tried this PR: #46 and it does seem to solve the issue. Any chance that PR will merge soon?

@carlosoro
Copy link

When the PR: #46 is going to be merged? any time soon?

@shubham-bookdepot
Copy link

Following thread resolved this issue:

https://stackoverflow.com/questions/65100704/gtm-not-propagating-nonce-to-custom-html-tags

mosesokemwa added a commit to mosesokemwa/react-gtm-updated that referenced this issue Jun 21, 2023
@mosesokemwa
Add nonce argument to pass in a CSP nonce value so that the script el…
eab2eb4 
…ements are allowed to run on CSP enabled sites.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Fixes [alinemorelli#41](alinemorelli#41)

constibution by [@webjunkie](https://github.com/webjunkie)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add possibility to pass in a CSP nonce value Artory/react-gtm
9 participants
@webjunkie @mvanderblom @praweb @dreamzmaster @Fabiomad85 @carlosoro @lovelstn @DavrosFl @shubham-bookdepot