Magento Question posted in
The official documentation can be found here.

Magento 2.4.5-p8 with CSP on scripts inserted by Google Tag Manager

We’re updating our Magento from 2.4.5-p7 to 2.4.5-p8.

As you know, in Magento 2.4.5-p8 the CSP on the checkout page is now restrict mode instead of report-only.

We know now that the scripts inserted through our magento’s modules/theme must be rendered using the $secureRenderer (example in the image below)
SecureRenderer working well

And the external domains must be added as whitelist (example in the image below)
whitelist working well

But we still have problem loading scripts through Google Tag Manager.
It’s reporting that the inline script will not be loaded (example in the image below)
csp error on loading the GTM script
The script (example in the image below)
GTM script we are tying do load

References:
https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-5-patches
https://developer.adobe.com/commerce/php/development/security/content-security-policies/

How can we insert a script through GTM while preserving the CSP?

I don’t have any clue of how can I load a script through GTM.

Tags:

2

Answers


  1. 0

    I am not sure where you are trying to insert js code, but if you are trying to insert GTM code in .phtml file then you can use following script

    <?php $scriptString = <<<script

<-- gtm js code goes here-->

script;
?>

<?= / @noEscape / $secureRenderer->renderTag('script', ['type' => 'text/javascript'], $scriptString, false) ?>
    Login or Signup to reply.
  2. 0

    We have the same issue. As I understand it, you can’t put the hash in the script tag either (on Google Tag Manager) as you don’t have access to the identity. Please share any solutions discovered here as this is troubling and it’s only going to get worse if they add further restrictions on other pages.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search