7

I embed analytics like this:

<script type="text/javascript" async="" src="http://www.google-analytics.com/plugins/ua/linkid.js"></script>

Then I added some google domains to CSP like this:

BrowserPolicy.content.allowScriptOrigin("*.google-analytics.com");
BrowserPolicy.content.allowImageOrigin("*.google.com");

This loads fine, however as soon as Analytics tries to send some tracking info, it sometimes tries to load image from google.pl (based on location). Is there any way to make sure that only .com is used? I obviously can't list all google domains in CSP headers.

The exact error is:

Refused to load the image 'https://www.google.pl/blabla' because it violates the following Content Security Policy directive: "img-src data: 'self' http://*.doubleclick.net https://*.doubleclick.net http://*.facebook.com https://*.facebook.com http://*.google.com https://*.google.com http://www.google-analytics.com https://www.google-analytics.com".

If it is of importance, frameworks used here are: Meteor 1.3.5.1, and browser policy package browser-policy@1.0.9

Anand Bhat
  • 5,591
  • 26
  • 30
Alex K
  • 6,737
  • 9
  • 41
  • 63
  • 1
    I had the same issue and it was because I was simply adding sources as they were reported by the browser and that was a mistake. It should work if you add the proper sources as Google specifies in the docs here: https://developers.google.com/tag-manager/web/csp#universal_analytics_google_analytics – Caruso Jan 22 '20 at 15:11
  • how does adding the proper sources solve the country domain issue? – gaurav5430 Oct 09 '21 at 09:40
  • Does this answer your question? [Google Adwords CSP (content security policy) img-src](https://stackoverflow.com/questions/34361383/google-adwords-csp-content-security-policy-img-src) – Shlang Apr 03 '23 at 16:06

1 Answers1

1

One solution is to use Geo IP to try to guess the domain. You could probably always include .com and the country domain dynamically, but I doubt this is a reliable solution.

Mārtiņš Briedis
  • 17,396
  • 5
  • 54
  • 76
  • Interesting idea, so i could at least try to detect location and include that domain in csp headers to reduce possibility of blockage – Alex K Jun 07 '17 at 14:14
  • I ended up just dropping the image property altogether, too much hassle. I can't avoid using inline scripts, so I think the image is the least danger :) – Mārtiņš Briedis Jun 07 '17 at 14:24