How to fix CORS and CSP errors
Updated Mar 23, 2026
Cross-origin resource sharing (CORS) and content security policy (CPS) are common issues that cause tags malfunction. When you check the browser’s console, you may see that the request was blocked as it violates CORS/CPS directives.
CORS errors occur when a webpage sends a request to a domain different from the one that served the page. The server responds with an HTTP error because its CORS configuration does not permit the "Origin" header to be included in the request.
This issue usually appears when users configure CORS policies that are too strict. As a result, you may experience issues such as:
- The container not working.
- Events not firing.
- Platforms not receiving data.
To confirm the issue:
- Open the browser console on the website.
- Reload the page or trigger events (for example, add an item to the cart).
- Check if you see messages similar to the examples below.
For instance, GTM may fail to load due to CSP (Content Security Policy) restrictions:
Solution:
Add, or ask your developers to add the required exceptions to the CORS/CSP configuration, so that your tags do not get blocked. We also suggest you review Google’s official documentation.
Comments