Comments (4)
MauricioRobayo
commented on May 28, 2024
Hello @flowtsohg !
I was not aware of this, thanks for opening the issue.
"Due to the inline script used to initialize window.dataLayer, CSP requires script-src 'unsafe-inline'".
Is it required to use script-src 'unsafe-inline'?
From the link you provided:
When you want to allow inline scripts or styles on a page that uses CSP, there two much better options: nonce or hash.
Would it be possible to use any of those instead of 'unsafe-inline'?
Maybe we could expose a nonce prop so it can be set and not lose the benefits of using Nextjs/Script tag, what do you think about this?
I'm not against your approach and I think it should be a fairly easy change in the GoogleAnalytics component. If you have the time feel free to open a PR, I'll be glad to merge it.
from nextjs-google-analytics.
flowtsohg
commented on May 28, 2024
I went back to using your library because my code actually didn't work correctly, haha (albeit that's because I don't know gtag and am focusing on other things).
I did ultimately use a hash since the browser reports the required hashes of CSP blocked files.
Adding an optional nonce could be a nice middle-way solution.
from nextjs-google-analytics.
MauricioRobayo
commented on May 28, 2024
Hi @flowtsohg !
The nonce prop has been added, it's on v2.3.2.
Is it ok to close this issue?
from nextjs-google-analytics.
flowtsohg
commented on May 28, 2024
Thanks! seems good to close
from nextjs-google-analytics.
Related Issues (20)
- Excellent library! HOT 13
- Support for server components in Next 13 HOT 9
- Feature request: Add `"types"` package.json field for `index.d.ts`
- This PR makes all users appear in the DebugVIew and flags every event with debug_mode: 1.
- How I can use gtag's consent config options? (GDPR compliance) HOT 4
- NEXT_PUBLIC environment variables don't seem to work HOT 2
- Can't send view_item, add_to_cart... etc ecommerce event. HOT 7
- fix(script-element): Script is invalid in Head of NextJS HOT 7
- Warning: Encountered two children with the same key when enabled alongside Vercel Analytics HOT 5
- Dependabot release
- Is there a way to add Auth0 user identifier to analytics tracking?
- How do you use the Consent API? HOT 2
- Change the condition to check google analytics Id HOT 8
- Doesn't show what page they're on HOT 1
- Ad blockers prevent Google Analytics to record events
- How to use with new app router HOT 4
- Requires "tslib" manual install HOT 1
- Support for 'set' command HOT 1
- Support 'wait-for-update' when applying default consent
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nextjs-google-analytics.