Question posted in
Some documentation to get you started can be found here.

Content-Security-Policy for Google Analytics v4 – Apache

I do not have any tracking on my Google Analytics…
I do suspect that my Content-Security-Policy is wrong, even if the browser console is clean.
This is what I currently have:

Header always set Content-Security-Policy "script-src 'self' https: data: 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com img-src: https://www.googletagmanager.com connect-src: https://www.googletagmanager.com;"

Any advise on this issue?
Best.

Tags:

2

Answers


  1. 0

    connect-src and img-src should be without a colon. Also end each policy with a semicolon. But I believe you probably need some other hosts from Google aswell in your script-src. If you add a report-to into your CSP you can see what gets blocked.

    I would also like to suggest to not allow unsafe inline js (if possible of course)

    Login or Signup to reply.
  2. 0

    Google suggests some CSP policies by itself:

    script-src:  https://*.googletagmanager.com
img-src:     https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com
             https://*.g.doubleclick.net https://*.google.com https://*.google.<TLD>
connect-src: https://*.google-analytics.com https://*.analytics.google.com
             https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com https://*.google.<TLD>

    But in order to keep the HTTP header slim I still wonder how to know the required TLDs beforehand.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search