4

I have a google analytics script in my jekyll app that suddenly stopped capturing visitor information. I have determined that the hash has deprecated and have included the following error messages that I have:

<script async src="https://www.googletagmanager.com/gtag/js?id=XYZ" integrity="sha384-MY HASH" crossorigin="anonymous"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-144775756-1');
</script>

In Firefox Dev Ed:

None of the “sha384” hashes in the integrity attribute match the content of the subresource.

In Chrome:

GET https://www.googletagmanager.com/gtag/js?id=XYZ net::ERR_BLOCKED_BY_CLIENT

I cannot remove the integrity hash for security reasons and I need those analytics.

I have tried changing the integrity hash via https://www.srihash.org/ but unfortunately nothing really changes.

I have tried adding a CSP meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://www.googletagmanager.com">

However that results in the same errors as above as well as these errors:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' https://www.googletagmanager.com". Either the 'unsafe-inline' keyword, a hash ('sha256-UVGwFlokk48rx16gP58wsQf8mf94VqVbcJorUyG9iug='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' https://www.googletagmanager.com". Either the 'unsafe-inline' keyword, a hash ('sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Update:

I was able to fix the CSP errors with this solution but the original problem with the sha384 hash still persists.

everyday_potato
  • 113
  • 1
  • 1
  • 14

0 Answers0