CSP: Directive script-src-elem violated with googletagmanager

Created on 14 April 2021, about 3 years ago

Updated 12 April 2024, 3 months ago

Problem/Motivation

Hello,

Here is the warning I have noticed from watchdog:

CSP: Directive script-src-elem violated.
Blocked URI: https://www.googletagmanager.com/gtm.js?id=GTM-M7H54VD.
Data: stdClass Object
(
    [document-uri] => https://www.gavi.org/vaccineswork/what-are-viral-vector-based-vaccines-and-how-could-they-be-used-against-covid-19
    [referrer] => https://www.google.com/
    [violated-directive] => script-src-elem
    [effective-directive] => script-src-elem
    [original-policy] => script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval' https://js-agent.newrelic.com https://www.google-analytics.com https://www.googletagmanager.com https://tagmanager.google.com https://www.gstatic.com https://www.google.com https://platform-api.sharethis.com https://cdnjs.cloudflare.com https://bam.nr-data.net https://*.sharethis.com https://platform.twitter.com/widgets.js https://assets.juicer.io/embed.js https://static.addtoany.com/menu/page.js https://pagecdn.io/ https://maps.googleapis.com https://cdn.jsdelivr.net https://www.recaptcha.net https://platform.twitter.com/ *.salesforce.com *.force.com *.visualforce.com *.documentforce.com gavialliancecareers.secure.force.com https://optimize.google.com https://www.googleoptimize.com/ https://connect.facebook.net *.flowpaper.com; object-src 'none'; style-src 'report-sample' 'self' 'unsafe-inline' https://assets.juicer.io/embed.css https://fonts.googleapis.com/ https://tagmanager.google.com https://cdn.jsdelivr.net https://optimize.google.com *.flowpaper.com; img-src 'self' data: https:;; frame-src 'self' https://www.googletagmanager.com https://www.youtube.com https://www.google.com https://*.sharethis.com https://c.sharethis.mgr.consensu.org/ https://datawrapper.dwcdn.net/ https://docs.google.com/ https://player.vimeo.com/ https://platform.twitter.com/ *.salesforce.com *.force.com *.visualforce.com *.documentforce.com gavialliancecareers.secure.force.com https://www.slideshare.net/ https://syndication.twitter.com/ https://optimize.google.com *.flowpaper.com https://counter.theconversation.com https://www.recaptcha.net; frame-ancestors 'self'; child-src blob:; font-src 'self' https://fonts.gstatic.com https://static.juicer.io https://www.slideshare.net/ https://use.typekit.net; report-uri /report-csp-violation; upgrade-insecure-requests
    [disposition] => enforce
    [blocked-uri] => https://www.googletagmanager.com/gtm.js?id=GTM-M7H54VD
    [status-code] => 0
    [script-sample] => 
)

Steps to reproduce

Currently I'm using Latest version (2.0.0), here there is option specifically for script-src-elem. In this example, googletagmanager is added under script-src. However, the warning is logged.

Any suggestions to resolve this. Thanks in advance.

Proposed resolution

Remaining tasks

User interface changes

Not applicable

API changes

Not applicable

Data model changes

Not applicable

💬 Support request

Status

RTBC

Version

2.0

Component

Code

Created by

🇮🇳India SivaprasadC

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 1 year ago →
🇮🇳India AswathyAjish
I am also having this same issue. I have tried the patch in #6, but no use.

Is there any other solution?
Comment 7 months ago →
🇬🇧United Kingdom Alina Basarabeanu
Patch #6 is working fine on Drupal 10.1.6 with Seckit 2.0.1
Status changed to RTBC 7 months ago11:36am 5 December 2023
Comment 7 months ago →
🇬🇧United Kingdom Alina Basarabeanu
Comment 3 months ago →
🇧🇴Bolivia alvarito75 Cochabamba
So far for Drupal 10.2.4 patch #6 worked

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024