Menu
I have the Content Security Policy:
default-src 'none';
style-src 'self';
script-src 'self' https://www.google-analytics.com;
img-src 'self' https://www.google-analytics.com;
connect-src 'self';
On my page I have put the inline GA code into an async script:
<script src="/javascript/ga.js" async></script>
This causes a CSP error:
Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZl…07Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJd2luZG93W2dhTmFtZV0gPSBnYTsKfSkoKTs=' because it violates the following Content Security Policy directive: "script-src 'self' https://www.google-analytics.com".
Is there any way to serve this script from a JS file, and if not how would I need to change the CSP?
951
Google Analytics is CSP-compatible. The base64-encoded data: blob OP is seeing is being injected by the uBlock Origin extension. To verify, disable it/try incognito. IIRC, this is due to an "experimental/unbreak" setting in the extension.
Please resist the temptation to whitelist data: in script-src. That would make the policy completely useless for XSS mitigation, since an attacker could just inject <script src="data:text/javascript,alert(1)"></script> to execute Javascript.
70
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
