We’re updating our Magento from 2.4.5-p7 to 2.4.5-p8.
As you know, in Magento 2.4.5-p8 the CSP on the checkout page is now restrict mode instead of report-only.
We know now that the scripts inserted through our magento’s modules/theme must be rendered using the $secureRenderer (example in the image below)
SecureRenderer working well
And the external domains must be added as whitelist (example in the image below)
whitelist working well
But we still have problem loading scripts through Google Tag Manager.
It’s reporting that the inline script will not be loaded (example in the image below)
csp error on loading the GTM script
The script (example in the image below)
GTM script we are tying do load
References:
https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-5-patches
https://developer.adobe.com/commerce/php/development/security/content-security-policies/
How can we insert a script through GTM while preserving the CSP?
I don’t have any clue of how can I load a script through GTM.
2
Answers
I am not sure where you are trying to insert js code, but if you are trying to insert GTM code in .phtml file then you can use following script
We have the same issue. As I understand it, you can’t put the hash in the script tag either (on Google Tag Manager) as you don’t have access to the identity. Please share any solutions discovered here as this is troubling and it’s only going to get worse if they add further restrictions on other pages.