Google Analytic / Tag Manager with CSP (Content Security Policy) #3651
Unanswered
codepainting
asked this question in
Q&A
Replies: 2 comments 1 reply
-
|
You can add sveltekit's nonce to your GTM script: <!-- app.html -->
<script nonce="%svelktekit.nonce%" |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I got a build error on Vercel with this approach.
|
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Not sure I can help, but if you provide some more context, code or the error that would help. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I'm having serious problems getting Google Analytic / Tag Manager to work with CSP (Content Security Policy).
So when I set a
script-srcrule withunsafe-inline(needed for Google Analytics) it throws this error:Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com 'sha256-…='". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.While the explanation is pretty clear (unsafe-inline gets ignored because a hash/nonce is present) there seems to be no way to disable the generation of hashes/nonces in Sveltekit (for all or for specific rules) or at least I am not aware of one.
Any suggestions how I might work around this?
Beta Was this translation helpful? Give feedback.
All reactions