Cant get google tag manager to work

Hello!

We cant setup GTM to work on our forum: https://forum.warthunder.com/

As you can see there is error about content security policy.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://forum.warthunder.com/logs/ https://forum.warthunder.com/sidekiq/ https://forum.warthunder.com/mini-profiler-resources/ https://forum.warthunder.com/assets/ https://forum.warthunder.com/brotli_asset/ https://forum.warthunder.com/extra-locales/ https://forum.warthunder.com/highlight-js/ https://forum.warthunder.com/javascripts/ https://forum.warthunder.com/plugins/ https://forum.warthunder.com/theme-javascripts/ https://forum.warthunder.com/svg-sprite/ https://www.googletagmanager.com/gtm.js 'nonce-857b78b0187f8ee53100212842747417' 'sha256-HZxBMVZe6P3MvHDZlFai9cUmLH+qwX6BNT3qTwNPATg='". Either the 'unsafe-inline' keyword, a hash ('sha256-93qwY4D574Ysts67Kmc0jpUYGBwBuG9q6hhQl+Kk9us='), or a nonce ('nonce-...') is required to enable inline execution.

Urls are good in CSP header, and nonce is correct.

Do you know what might be the problem?

Thanks.

hi @Nikolaos_SP :wave: welcome to Meta :slight_smile:

maybe have a look at this topic

2 Likes

Hello Lilly

I read that article and alot of others on this forum, and nothing helped :frowning:

Main page set CSP header correcly, there is gtm address in script src. And there is also nonce, but browser still for some reason block script loading.

What happends if you don’t use CSP, aka. Report-only?

1 Like

If i disable content security policy in admin panel, then it works normally.
But that would be security risk then.

Actually isn’t that big risk, if at all. CSP is very unreliable way, and security will fall anyway because there is quite big must to allow everything, if one want keep things in work.

But for you that is quite easy dilemma: do you really need that extra layer of security or do you need google tags? Or can you use Matomo instead?

@Nikolaos_SP

I have added the googletagmanager.com domain to SCP whitelist and it worked for me.

1 Like