Use Google Tag Manager with a Content Security Policy

Content Security Policy (CSP) is a widely supported Web security standard intended to prevent certain types of injection-based attacks by providing a standard method for declaring allowed content origins. If you use a CSP, use this guide to understand how to configure Google Tag Manager to work with your CSP implementation.

To use Tag Manager on a page with a Content Security Policy, the CSP must allow for the execution of the Tag Manager snippet, which is an inline JavaScript snippet that injects the gtm.js script. This necessitates the addition of 'unsafe-inline' to the CSP's script-src section.

For secure pages, Tag Manager can be enabled by the following directives:

script-src: 'unsafe-inline' https://www.googletagmanager.com
img-src: https://www.googletagmanager.com

For non-secure pages:

script-src: 'unsafe-inline' https://www.googletagmanager.com
img-src: http://www.googletagmanager.com

Custom JavaScript Variables

To use Custom JavaScript variables in Tag Manager on a page with CSP, you must add the 'unsafe-eval' directive to the script-src section of the CSP policy. This is due to the way Custom JavaScript variables are implemented. Unless this is done, all Custom JavaScript variables will evaluate to undefined.

script-src: 'unsafe-eval'

Preview Mode

In order to use Google Tag Manager's Preview Mode, the CSP must include the following directives:

script-src: https://tagmanager.google.com
style-src: https://tagmanager.google.com https://fonts.googleapis.com
img-src: https://ssl.gstatic.com https://www.gstatic.com
font-src: https://fonts.gstatic.com data:

Universal Analytics (Google Analytics)

To use the Universal Analytics (Google Analytics) tag, the CSP must include the following directives:

script-src: https://www.google-analytics.com https://ssl.google-analytics.com
img-src: https://www.google-analytics.com
connect-src: https://www.google-analytics.com

Google Optimize

To use a Google Optimize tag, the CSP must include the following directives:

script-src: https://www.google-analytics.com

To use a Google Ads conversion tag, the CSP must include the following directives:

For secure connections:

script-src: https://www.googleadservices.com
img-src: https://googleads.g.doubleclick.net https://www.google.com

For non-secure connections:

script-src: http://www.googleadservices.com
img-src: https://googleads.g.doubleclick.net https://www.google.com

To use a Google Ads remarketing tag, the CSP must include the following directives:

For non-secure connections:

script-src: http://www.googleadservices.com https://googleads.g.doubleclick.net
img-src: https://www.google.com
frame-src: https://bid.g.doubleclick.net

For secure connections:

script-src: https://www.googleadservices.com https://googleads.g.doubleclick.net
img-src: https://www.google.com
frame-src: https://bid.g.doubleclick.net