I do not have any tracking on my Google Analytics…
I do suspect that my Content-Security-Policy is wrong, even if the browser console is clean.
This is what I currently have:
Header always set Content-Security-Policy "script-src 'self' https: data: 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com img-src: https://www.googletagmanager.com connect-src: https://www.googletagmanager.com;"
Any advise on this issue?
Best.
2
Answers
connect-src
andimg-src
should be without a colon. Also end each policy with a semicolon. But I believe you probably need some other hosts from Google aswell in your script-src. If you add a report-to into your CSP you can see what gets blocked.I would also like to suggest to not allow unsafe inline js (if possible of course)
Google suggests some CSP policies by itself:
But in order to keep the HTTP header slim I still wonder how to know the required TLDs beforehand.