Tag debugging

Is your CSP blocking your analytics?

26 June 20267 min readTag debugging

If your tags stopped firing after a security update and the analytics team is blaming the dev team, your Content Security Policy is the most likely culprit. CSP is a browser security header that controls which scripts, connections, and images a page is allowed to load, and it blocks analytics tags as readily as it blocks attackers.

The frustrating part is how quiet the failure is. The page loads. Nothing looks broken. But Google Tag Manager never initialises, GA4 never sends a hit, and your Meta pixel goes dark. Conversions slide in the reports and nobody can point to a single thing that changed, because the only evidence is buried in the browser console.

What a CSP actually does

A Content Security Policy is an HTTP response header. It lists, per resource type, the origins a page may load from. Anything not on the list is refused. The directives that trip up analytics are:

So a policy can fail in two very different ways: the tag never loads (a script-src problem), or the tag loads but its data never sends (a connect-src problem). They look identical in your reports and completely different in the console.

Why it is so hard to catch

CSP violations are the textbook silent failure. There is no error page, no failed deploy, no alert. The console logs a Refused to load or Refused to connect message, but on a busy site that line is lost among dozens of unrelated warnings. The policy may only apply to certain pages, so the problem looks intermittent. And if the team uses Content-Security-Policy-Report-Only, violations are reported but not enforced, which means the policy you test is not the policy that ships.

This is exactly the kind of issue an analytics audit exists to find, and it is why I stopped debugging it by hand.

The extension I built to catch it

I built CSP Detector, a Chrome extension that surfaces Content Security Policy and CORS violations in real time, while you browse the site you are debugging. Instead of scrolling the console, you get:

It runs on Manifest V3, requests only what it needs to read network and console errors, and keeps everything local to your browser. I built it because I kept losing afternoons to tag deployments that broke behind a strict policy, and the console was never fast enough to tell me why.

How to fix a CSP that blocks your tags

The fix is almost always to allowlist the right origins in the right directive. A policy that lets a standard GA4 and GTM setup work looks roughly like this:

Content-Security-Policy:
  script-src 'self' https://www.googletagmanager.com;
  img-src 'self' https://www.google-analytics.com https://*.google-analytics.com;
  connect-src 'self' https://www.google-analytics.com https://*.analytics.google.com
              https://www.googletagmanager.com;

A few rules of thumb that save the most time:

Where this bites hardest

CSP problems cluster around exactly the work that matters most: server-side migrations, consent and tag governance, and any site where security and marketing ship on different schedules. A consent banner tightens the policy, a security review adds a header, a new pixel needs an origin nobody allowlisted, and the data quietly degrades.

If your conversions dropped without an obvious cause, do not assume the tracking code is wrong. Check whether the page is allowed to run it at all.

Common questions

Does CSP block Google Tag Manager?
Yes. A Content Security Policy with a script-src directive that does not include https://www.googletagmanager.com blocks the GTM container script from loading, which stops every tag inside it. The page itself loads fine, so the failure is easy to miss.
How do I allow Google Analytics 4 in my CSP?
GA4 needs two things: the loader in script-src (https://www.googletagmanager.com) and the data endpoints in connect-src (https://www.google-analytics.com and https://*.analytics.google.com). If you collect through a server-side container, add that first-party endpoint to connect-src too.
Why did my tracking stop after a security review?
Security reviews often tighten the policy or add one for the first time. If it does not allowlist your analytics and advertising origins, those tags are blocked silently: conversions drop, but there is no broken page to point to. A data audit isolates which directive is the cause.
What is the difference between CSP and CORS?
CSP is set by the site you are on and controls which resources that page may load. CORS is set by the server you are calling and controls who may read its response. Both can block analytics calls and produce different console errors, which is why CSP Detector flags each separately.

CH·01 · Contact

Conversions dropped
for no reason?

If your numbers slid after a security or consent change, a free health check will tell you whether a blocked tag is the cause, and exactly which directive to fix.

Free Analytics Health Check

Get a fix plan

Book a free 30-min call

LinkedIn

linkedin.com/in/ffgcvs