Is there an option to get server-side generated CSP nonce for non-GTM scripts?

Hi,

I can see that there’s a nice and clean way to generate nonce for gtm. Is there a way to add the nonce to the DOM without installing GTM container? I’d like to avoid using unsafe-inline for my scripts.

2 Likes

Good question, technically I don’t see a reason why we shouldn’t include the nonce regardless of whether GTM is installed.

Marking this as pr-welcome.

1 Like

A CSP nonce would be useful to get around a Cloudflare problem as well.

Cloudflare’s Super Bot Fight Mode injects inline scripts and the docs mention using a nonce:
https://developers.cloudflare.com/bots/reference/javascript-detections/#if-you-have-a-content-security-policy-csp

The error I’m getting on my site is: “Refused to execute a script because its hash, its nonce, or ‘unsafe-inline’ does not appear in the script-src directive of the Content Security Policy.”

Our splash screen implementation already uses CSP nonces, @Johani built it.

Getting something like that to work for GTM or superbot is probably fairly workable.

1 Like

Actually… my unsafe-inline just stopped working. Did you introduce some breaking changes? Console reports:

Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list

The thing is that I didn’t change anything. Did the splash screen’s nonce break it? :confused:

I lost a month of web analytics data because of that…

1 Like