Hi,
I can see that there’s a nice and clean way to generate nonce for gtm. Is there a way to add the nonce to the DOM without installing GTM container? I’d like to avoid using unsafe-inline for my scripts.
2 Likes
Good question, technically I don’t see a reason why we shouldn’t include the nonce regardless of whether GTM is installed.
Marking this as pr-welcome.
1 Like
A CSP nonce would be useful to get around a Cloudflare problem as well.
Cloudflare’s Super Bot Fight Mode injects inline scripts and the docs mention using a nonce:
https://developers.cloudflare.com/bots/reference/javascript-detections/#if-you-have-a-content-security-policy-csp
The error I’m getting on my site is: “Refused to execute a script because its hash, its nonce, or ‘unsafe-inline’ does not appear in the script-src directive of the Content Security Policy.”
Our splash screen implementation already uses CSP nonces, @Johani built it.
Getting something like that to work for GTM or superbot is probably fairly workable.
1 Like
Actually… my unsafe-inline just stopped working. Did you introduce some breaking changes? Console reports:
Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list
The thing is that I didn’t change anything. Did the splash screen’s nonce break it? 
I lost a month of web analytics data because of that…
1 Like