Error in Content Security Policy and gtag.js

Hi,

We are getting this error in our forum (https://forum.playcanvas.com/):

The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/gtag/js?id=UA-XXXXXXXX-X'. The query component, including the '?', will be ignored.

We haven’t added that URL in our CSP settings, I think it is added by discourse and the query component is probably not valid in a CSP.

Any idea how to fix it?

1 Like

How have you configured google tag manager? Are you using the built-in discourse method? Or have you added some custom code to a theme component?

We have a custom theme component that includes https://www.googletagmanager.com/gtag/js?id=U_XXX… manually. We were using the built-in discourse method before but took it out because we needed to add some additional gtag methods called before the analytics are included.

Maybe that CSP was set when we were using the built-in method and now it doesn’t remove it for some reason?

1 Like

I see. It looks like you’re running into an old bug we had, which was fixed back in January:

https://github.com/discourse/discourse/commit/b0088361a474575a4fcd3fbef77d9fa0286ef113

This fix hasn’t been backported to the stable branch, so I’m afraid you’ll either have to update to tests-passed, or wait for the next stable release. In the meantime, the warning you see can be safely ignored - the browser will automatically remove the query component of the URL.

2 Likes

Oh I see that makes sense! OK thanks!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.