Where is the inline script coming from that violates my strict CSP on a New Relic host? #32
Answered
by
Kevinchamplin
Kevinchamplin
asked this question in
Q&A
-
|
Where is the inline script coming from that violates my strict CSP on a New Relic host? |
Beta Was this translation helpful? Give feedback.
Answered by
Kevinchamplin
Jun 13, 2026
Replies: 1 comment
-
|
The New Relic PHP agent's auto-RUM feature rewrites the HTML response and injects an inline timing beacon script with no nonce/hash, which a strict CSP correctly blocks. Disable it with newrelic_disable_autorum() early in the bootstrap, or newrelic.browser_monitoring.auto_instrument = false in INI, then re-add RUM yourself with a nonce your CSP allows if you still want it. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
Kevinchamplin
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The New Relic PHP agent's auto-RUM feature rewrites the HTML response and injects an inline timing beacon script with no nonce/hash, which a strict CSP correctly blocks. Disable it with newrelic_disable_autorum() early in the bootstrap, or newrelic.browser_monitoring.auto_instrument = false in INI, then re-add RUM yourself with a nonce your CSP allows if you still want it.