We’re updating our Magento from 2.4.5-p7 to 2.4.5-p8.
As you know, in Magento 2.4.5-p8 the CSP on the checkout page is now restrict mode instead of report-only.
We know now that the scripts inserted through our magento’s modules/theme must be rendered using the $secureRenderer (example in the image below)
SecureRenderer working well
And the external domains must be added as whitelist (example in the image below)
whitelist working well
But we still have problem loading scripts through Google Tag Manager.
It’s reporting that the inline script will not be loaded (example in the image below)
csp error on loading the GTM script
The script (example in the image below)
GTM script we are tying do load
References:
https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-5-patches
https://developer.adobe.com/commerce/php/development/security/content-security-policies/
How can we insert a script through GTM while preserving the CSP?
I don’t have any clue of how can I load a script through GTM.