Menu
I embed analytics like this:
<script type="text/javascript" async="" src="http://www.google-analytics.com/plugins/ua/linkid.js"></script>
Then I added some google domains to CSP like this:
BrowserPolicy.content.allowScriptOrigin("*.google-analytics.com");
BrowserPolicy.content.allowImageOrigin("*.google.com");
This loads fine, however as soon as Analytics tries to send some tracking info, it sometimes tries to load image from google.pl (based on location). Is there any way to make sure that only .com is used? I obviously can't list all google domains in CSP headers.
The exact error is:
Refused to load the image 'https://www.google.pl/blabla' because it violates the following Content Security Policy directive: "img-src data: 'self' http://*.doubleclick.net https://*.doubleclick.net http://*.facebook.com https://*.facebook.com http://*.google.com https://*.google.com http://www.google-analytics.com https://www.google-analytics.com".
If it is of importance, frameworks used here are: Meteor 1.3.5.1, and browser policy package [email protected]
709
One solution is to use Geo IP to try to guess the domain. You could probably always include .com and the country domain dynamically, but I doubt this is a reliable solution.
148
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
