The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/gtag/js?id=UA-XXXXXXXX-X'. The query component, including the '?', will be ignored.
We haven’t added that URL in our CSP settings, I think it is added by discourse and the query component is probably not valid in a CSP.
We have a custom theme component that includes https://www.googletagmanager.com/gtag/js?id=U_XXX… manually. We were using the built-in discourse method before but took it out because we needed to add some additional gtag methods called before the analytics are included.
Maybe that CSP was set when we were using the built-in method and now it doesn’t remove it for some reason?
This fix hasn’t been backported to the stable branch, so I’m afraid you’ll either have to update to tests-passed, or wait for the next stable release. In the meantime, the warning you see can be safely ignored - the browser will automatically remove the query component of the URL.