Fix for google analytics CSP errors

src/registrar/config/settings.py

@@ -297,12 +297,26 @@ SERVER_EMAIL = "root@get.gov"
 
 # Content-Security-Policy configuration
 # this can be restrictive because we have few external scripts
-allowed_sources = ("'self'",)
+allowed_sources = (
+    "'self'"
+)
+allowed_sources_scripts = [
+    "'self'",
+    "https://www.googletagmanager.com/",
+    "https://www.google-analytics.com/"
+]
 CSP_DEFAULT_SRC = allowed_sources
-# Most things fall back to default-src, but these two do not and should be
+# Most things fall back to default-src, but the following do not and should be
 # explicitly set
 CSP_FRAME_ANCESTORS = allowed_sources
 CSP_FORM_ACTION = allowed_sources
+CSP_SCRIPT_SRC_ELEM = allowed_sources_scripts
+CSP_SCRIPT_SRC = allowed_sources_scripts
+CSP_CONNECT_SRC = allowed_sources_scripts
+CSP_INCLUDE_NONCE_IN = [
+    'script-src',
+    'script-src-elem'
+    ]
 
 # Cross-Origin Resource Sharing (CORS) configuration
 # Sets clients that allow access control to manage.get.gov

src/registrar/templates/base.html

@@ -6,7 +6,7 @@
   {% if IS_PRODUCTION %}
   <!-- Google tag (gtag.js) -->
   <script async src="https://www.googletagmanager.com/gtag/js?id=G-PZ5QSP6QPL"></script>
-  <script>
+  <script type="text/javascript" nonce="{{request.csp_nonce}}">
     window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-PZ5QSP6QPL');
   </script>
   {% endif %}