Saturday 7 August 2021

Google Analytics sha384 integrity hash not working

I have a google analytics script in my jekyll app that suddenly stopped capturing visitor information. I have determined that the hash has deprecated and have included the following error messages that I have:

<script async src="https://www.googletagmanager.com/gtag/js?id=XYZ" integrity="sha384-MY HASH" crossorigin="anonymous"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-144775756-1');
</script>

In Firefox Dev Ed:

None of the “sha384” hashes in the integrity attribute match the content of the subresource.

In Chrome:

GET https://www.googletagmanager.com/gtag/js?id=XYZ net::ERR_BLOCKED_BY_CLIENT

I cannot remove the integrity hash for security reasons and I need those analytics.

I have tried changing the integrity hash via https://www.srihash.org/ but unfortunately nothing really changes.

I have tried adding a CSP meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://www.googletagmanager.com">

However that results in the same errors as above as well as these errors:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' https://www.googletagmanager.com". Either the 'unsafe-inline' keyword, a hash ('sha256-UVGwFlokk48rx16gP58wsQf8mf94VqVbcJorUyG9iug='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' https://www.googletagmanager.com". Either the 'unsafe-inline' keyword, a hash ('sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Update:

I was able to fix the CSP errors with this solution but the original problem with the sha384 hash still persists.



from Google Analytics sha384 integrity hash not working
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)