I'm implementing global tracking on my site following the steps described by Google. But I want to also keep my Subresource Integrity
(SRI) up to date. So I ran the following command to find the integrity hash for gtag.js
.
> curl -s https://www.googletagmanager.com/gtag/js |\
openssl dgst -sha384 -binary |\
openssl base64 -A
Adding this as the integrity attribute to the script
tag with the crossorigin="anonymous"
attribute, causes the browser to fail loading the gtag script. Reason:
Subresource Integrity: The resource 'https://www.googletagmanager.com/gtag/js' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.
Apparent reason is the access-control-allow-origin
header which google returns and only allows the same-host origin.
Does anyone know if there is a different host for this script? Is there another way to adopt gtag in your site?