Google Tag Manager (gtm) script blocked by CSP

Hi there!

I’m having a hard time figuring out why our GTM script is being blocked by our CSP:

Screenshot 2023-06-30 at 4.16.51 PM1262×786 154 KB

Here’s the script:

<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-XXXX');</script>
<!-- End Google Tag Manager -->

I’m following the instructions here to add GTM to discourse. I’ve removed the GA ID as stated in the article, as well as added https://www.googletagmanager.com to our allowlist.

Any ideas?

did you see this topic?

Hey @Lilly! I didn’t see that topic in particular, but I did follow the documentation that it links to. I’ve allowlisted https://www.googletagmanager.com

Hi Ty,

It looks like you have a few scripts being blocked at the moment that you’ll want to add to your CSP:

Screenshot 2023-07-03 at 12.26.00 PM1570×312 78.3 KB

I also see that you’re getting a nonce error in the console. Have you tried configuring GTM to handle those?

One last thing I would try is to add https://*.googletagmanager.com to your allowlist.

Thanks a bunch for jumping in here @MarkDoerr!

I’ll need to reach out to the team that handles these scripts and mention nonce handling as well, thanks for pointing these out!

Odd, with either https://www.googletagmanager.com or https://*.googletagmanager.com allowlisted there aren’t any CSP related errors for the GTM script in particular in Brave nor Safari, just Chrome and Firefox.