Wordpress 内容安全策略问题

Question

Our website is designed based on WordPress tool and published on Azure web service. Our goal is to use google analytic for checking traffic. Due to this fact, the google analysis tag was added in the header part of our page which causes the following error:

Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=??' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

I understand that violation of the Content Security Policy is the main problem. Therefore, I added meta in the header (Content-Security-Policy: script-src 'unsafe-inline') but the issue did not disappear. I will appreciate any help.

Answer 1

Since you have got a Content Security Policy (CSP) violation, you already have a first CSP published at the page.
Adding a second CSP via meta tag (or even via second HTTP header) will not solve a problem, because all sources should pass through both CSPs to be allowed.

Therefore you have to add blocked source ( https://www.googletagmanager.com ) in first CSP into script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com; .
Check if your WP has some installed plugins to manage CSP, or CSP is published in the .htaccess file.

Since you have 'unsafe-eval' 'unsafe-inline' in the script-src , you should not have problems with Google Tag Manager (GTM).
Anyway you can check CSP for your GTM-XXXXXX ID - which additional scripts are loaded by GTM and which tokens are required in you specific case.