skip to Main Content

I do not have any tracking on my Google Analytics…
I do suspect that my Content-Security-Policy is wrong, even if the browser console is clean.
This is what I currently have:

Header always set Content-Security-Policy "script-src 'self' https: data: 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com img-src: https://www.googletagmanager.com connect-src: https://www.googletagmanager.com;"

Any advise on this issue?
Best.

2

Answers


  1. connect-src and img-src should be without a colon. Also end each policy with a semicolon. But I believe you probably need some other hosts from Google aswell in your script-src. If you add a report-to into your CSP you can see what gets blocked.

    I would also like to suggest to not allow unsafe inline js (if possible of course)

    Login or Signup to reply.
  2. Google suggests some CSP policies by itself:

    script-src:  https://*.googletagmanager.com
    img-src:     https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com
                 https://*.g.doubleclick.net https://*.google.com https://*.google.<TLD>
    connect-src: https://*.google-analytics.com https://*.analytics.google.com
                 https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com https://*.google.<TLD>
    

    But in order to keep the HTTP header slim I still wonder how to know the required TLDs beforehand.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search