Google Tag Manager console error after removing unsafe-eval from CSP header
出于安全原因,我们需要从应用程序的内容安全策略标头中删除
call to eval() or related function blocked by CSP
我们还向
有没有一种方法只能允许
示例分析代码段低于我们在脚本中使用的代码
1 2 3 4 5 6 7 8 | (function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = '//www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-123456'); |
根据此Lunametrics文章,GTM将eval用作自定义javascript变量:
[...] your scripts may execute a little more slowly as a result, since there
will now be an additional eval() for the Custom JavaScript Variable
that you are passing your arguments to
实际上,当我在将以下代码段添加到gtm.js文件之前,将自定义JS变量添加到一个没有任何自定义变量的容器时:
1 2 3 4 5 | // Copyright 2012 Google Inc. All rights reserved. // Container Version: QUICK_PREVIEW (function(w,g){w[g]=w[g]||{};w[g].e=function(s){return eval(s);};})(window,'google_tag_manager');(function(){ var __c;__c=function(a){return a["39"]};__c.a="c";__c.b=["google"];__c.isVendorTemplate=!0; |
(注意在注释后的第一行中使用eval)。
因此,我怀疑如果不使用自定义javascript变量,则删除unsafe-eval可能可行。