3

I set img-src directive for HTTP Content-Security-Policy which specifies valid sources of images and favicons allowed to use on my site. Also I set up Google analytics. Here is a value of directive: img-src 'self' data: www.google-analytics.com https://www.google.com/pagead/ The problem is Google switches to visitor's country domain so it tries to load special service image from that domain not from www.google.com. E.g. if I visit the site from Italy (google.com => google.it) it will complain in browser console:

Refused to load the image 'https://www.google.it/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-1234…' because it violates the following Content Security Policy directive: "img-src 'self' data: www.google-analytics.com https://www.google.com/pagead/".

Is there any way how to count all possible domain zones of Google.com in img-src directive? As far as I know it's impossible to write something similar to "google.*" Probably there is some solution from Google Analytics side?

Eugene Kuzmin
  • 388
  • 3
  • 14

1 Answers1

0

Unfortunately with Content-Security-Policy resources need to be whitelisted, and wildcards would not be compatible with that idea:

Wildcards are accepted, but only as a scheme, a port, or in the leftmost position of the hostname: ://.example.com:* would match all subdomains of example.com (but not example.com itself), using any scheme, on any port.

See this previous answer for solutions to this issue

MarkRobbo
  • 975
  • 1
  • 9
  • 31