I am trying to implement Content Security Policy on my website. But when I am implementing script-src it is giving me this error.
Refused to load the script 'https://www.googletagmanager.com/gtm.js?id=GTM-XXXXX' because it violates the following
My Content Security Policy is
Content-Security-Policy: script-src 'self' 'unsafe-eval' https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js https://www.google-analytics.com 'unsafe-eval' 'unsafe-inline' https://*.googletagmanager.com/gtm.js/ https://tagmanager.google.com/http://www.googleadservices.com/pagead/conversion_async.js https://*.google.com;
Remove trailing slash in the https://*.googletagmanager.com/gtm.js/ because CSP consider it a folder but really it's a file. More reliable is to specify just https://*.googletagmanager.com without path/filename.
Insert a space between https://tagmanager.google.com/ and http://www.googleadservices.com/pagead/conversion_async.js because your specify incorrect host-source: https://tagmanager.google.com/http://www.googleadservices.com/pagead/conversion_async.js.
Note 1: host-source http://www.googleadservices.com/pagead/conversion_async.js is covered by the https://*.google.com (falls under the that template).
Note 2: script-src 'unsafe-inline' does not protect against XSS. Consider not using 'unsafe-inline' in the script-src directive.