Google Tag Manager en Discourse CSP (Content Security Policy)

Discourse · 27 april 2021 om 19:03

Discourse uses a ‘strict-dynamic’ Content Security Policy, and attaches a nonce to the root GTM script.

That means that, in the vast majority of cases, no extra configuration is required. strict-dynamic will automatically trust any scripts you load via GTM.

If you use GTM Custom JavaScript Variables, then you will need to add 'unsafe-eval' to the content security policy script src site setting. Alternatively, you can update your GTM configuration to use ‘Custom Templates’ instead of ‘Custom Variables’.

Last edited by @MarkDoerr 2025-12-11T00:35:04Z

Last checked by @MarkDoerr 2025-12-11T00:32:25Z

Check document
Perform check on document:

Topic		Antwoorden	Weergaven
GTM Refused to load the script because it violates the Content Security Policy Data & reporting	3	3524	16 juni 2021
Content-Security-Policy now uses 'strict-dynamic' Announcements	13	1589	2 september 2024
Google Tag Manager (gtm) script blocked by CSP Data & reporting analytics	4	5016	3 juli 2023
Can't get script tag to work in landing pages plugin due to content-security-policy Support	5	100	1 juli 2025
Mitigate XSS Attacks with Content Security Policy Site Management how-to , content-security-policy	32	24298	13 juni 2023

Google Tag Manager en Discourse CSP (Content Security Policy)

Gerelateerde topics