Google Analytic / Tag Manager with CSP (Content Security Policy) #3651
Unanswered
codepainting
asked this question in
Q&A
Replies: 2 comments 1 reply
-
|
You can add sveltekit's nonce to your GTM script: <!-- app.html -->
<script nonce="%svelktekit.nonce%" |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I got a build error on Vercel with this approach.
|
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Not sure I can help, but if you provide some more context, code or the error that would help. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'm having serious problems getting Google Analytic / Tag Manager to work with CSP (Content Security Policy).
So when I set a
script-srcrule withunsafe-inline(needed for Google Analytics) it throws this error:Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com 'sha256-…='". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.While the explanation is pretty clear (unsafe-inline gets ignored because a hash/nonce is present) there seems to be no way to disable the generation of hashes/nonces in Sveltekit (for all or for specific rules) or at least I am not aware of one.
Any suggestions how I might work around this?
Beta Was this translation helpful? Give feedback.
All reactions