0

Our website is designed based on WordPress tool and published on Azure web service. Our goal is to use google analytic for checking traffic. Due to this fact, the google analysis tag was added in the header part of our page which causes the following error:

Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=??' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

I understand that violation of the Content Security Policy is the main problem. Therefore, I added meta in the header (Content-Security-Policy: script-src 'unsafe-inline') but the issue did not disappear. I will appreciate any help.

Samo Simoncic
  • 7
  • 1
  • 7

1 Answers1

0

Since you have got a Content Security Policy (CSP) violation, you already have a first CSP published at the page.
Adding a second CSP via meta tag (or even via second HTTP header) will not solve a problem, because all sources should pass through both CSPs to be allowed.

Therefore you have to add blocked source (https://www.googletagmanager.com) in first CSP into script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com;.
Check if your WP has some installed plugins to manage CSP, or CSP is published in the .htaccess file.

Since you have 'unsafe-eval' 'unsafe-inline' in the script-src, you should not have problems with Google Tag Manager (GTM).
Anyway you can check CSP for your GTM-XXXXXX ID - which additional scripts are loaded by GTM and which tokens are required in you specific case.

granty
  • 7,234
  • 1
  • 14
  • 21
  • Granty thanks for your reply. what do you have in mind with first CSP. Is it CSP which I added or CSP which causes the problem and it seems is added avtomatically? – Samo Simoncic Jul 22 '21 at 05:12
  • I mean CSP which was added automatically. Your WP already published some CSP by default - this CSP causes violation even without addition of meta tag. That's why meta tag is not works as expected. You can check the presence this "default CSP", tutorial is [here](https://stackoverflow.com/questions/64060894/trouble-with-content-security-policy/64068629#64068629). – granty Jul 22 '21 at 05:34
  • I checked and I get the following CSP in my http response: Content-Security-Policy: default-src 'unsafe-inline' data: https: blob:; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com; Is this the main issue? I was trying to find .htaccess file in wp-admin directory in Kudo but It does not exist. Is ti normal? – Samo Simoncic Jul 22 '21 at 05:52
  • Yes, that's is the main issue. `script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com;` is mentioned as a reason of CSP violation. CSP in WP also can be publiched in PHP code by `header()` func. You have to find where this CSP is published and to add `https://www.googletagmanager.com` there. – granty Jul 22 '21 at 06:21
  • Also CSP can be published in [Azure config](https://stackoverflow.com/a/47855897/12865944) – granty Jul 22 '21 at 13:36
  • Thanks, granty, you are really kind. I added httpProtocol to web.config but then the web page does not load at all. Is it possible to show me how I have to write CSP in httpProtocol tag. At the moment I have the following: But I get error "The page cannot be displayed because an internal server error has occurred." – Samo Simoncic Jul 23 '21 at 18:01
  • I meant that it is necessary to search for where the CSP header is published both in the Wordpress engine and in the Azure config. And if you use an Nginx proxy, then in it too. We need to fix the CSP header that has already been published, and not add a second one. `an internal server error has occurred` means a syntax error or `` section been placed in a wrong place. An example of CSP header in Azure web.config you can found [here](https://www.azuretechguy.com/modifying-response-headers-in-azure-app-service) in the "Complete web.config" section. – granty Jul 23 '21 at 20:08