Update csp for different regions

netlify.toml

@@ -6,7 +6,7 @@
   [headers.values]
     X-Frame-Options = "DENY"
     X-XSS-Protection = "1; mode=block"
-    Content-Security-Policy = "default-src 'none'; script-src 'self' www.googletagmanager.com platform.twitter.com syndication.twitter.com static.ads-twitter.com 'sha256-ewTm8QMx/IkmbIFAIapvCHoCrGgIIHhn8qKC7/5Y2Ro=' 'unsafe-hashes' 'sha256-mplq9U9bn5xLaFQjbIOde0Eu7cXsI2xaTPex2jLztp0='; style-src 'self' cdnjs.cloudflare.com fonts.googleapis.com 'sha256-akbuxUDobAg86+TiT5p8TENoFqlhtGWtEqHedhVNujw='; font-src fonts.gstatic.com cdnjs.cloudflare.com; img-src 'self' syndication.twitter.com t.co analytics.twitter.com; frame-src platform.twitter.com; connect-src www.google-analytics.com"
+    Content-Security-Policy = "default-src 'none'; script-src 'self' www.googletagmanager.com platform.twitter.com syndication.twitter.com static.ads-twitter.com 'sha256-ewTm8QMx/IkmbIFAIapvCHoCrGgIIHhn8qKC7/5Y2Ro=' 'unsafe-hashes' 'sha256-mplq9U9bn5xLaFQjbIOde0Eu7cXsI2xaTPex2jLztp0='; style-src 'self' cdnjs.cloudflare.com fonts.googleapis.com 'sha256-akbuxUDobAg86+TiT5p8TENoFqlhtGWtEqHedhVNujw='; font-src fonts.gstatic.com cdnjs.cloudflare.com; img-src 'self' syndication.twitter.com t.co analytics.twitter.com; frame-src platform.twitter.com; connect-src *.google-analytics.com"
 
 [[redirects]]
   from = "/20*"

www/examples/google-analytics.html

@@ -39,3 +39,6 @@ <h2>How it works</h2>
     <li><code>connect-src www.google-analytics.com;</code> - The <a href="/connect-src/">connect-src policy</a> allows google analytics to make a XHR (XMLHttpRequest, aka AJAX request) under the domain www.google-analytics.com in order to send the analytics data. We could also make this more restrictive by using the full url: <code>https://www.google-analytics.com/g/collect</code> in the policy. The risk in using the full url is that if Google ever changes the endpoint url, we would need to update our policy.</li>
 </ul>
 <p>As you can see it is not terribly difficult to create a CSP policy that works with Google Analytics 4.</p>
+<h2>Google Analytics in Different Regions</h2>
+<p>We have found that in the EU region, google analytics may use a different endpoint, such as region1.google-analytics.com</p>
+<p>In that case you may need to add region1.google-analytics.com to your <code>connect-src</code> policy, or you could potentially use <code>*.google-analytics.com</code> instead.</p>

www/strict-dynamic.html

@@ -37,10 +37,11 @@ <h2>Dealing with Unsupported Browsers</h2>
 </ul>
 <p>In fact you might see something like this in your developer tools console:</p>
 <blockquote>
-	content security policy: ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified<br>
-	content security policy: ignoring “http:” within script-src: ‘strict-dynamic’ specified<br>
-	content security policy: ignoring “https:” within script-src: ‘strict-dynamic’ specified<br>
-	content security policy: ignoring “'unsafe-eval'” within script-src: ‘strict-dynamic’ specified
+	content security policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified<br>
+	content security policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified<br>
+	content security policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified<br>
+	content security policy: Ignoring “'unsafe-eval'” within script-src: ‘strict-dynamic’ specified<br>
+	content security policy: Ignoring “'report-sample'” within script-src: ‘strict-dynamic’ specified
 </blockquote>
 <p>So our script can be made backwards compatible by doing something like this:</p>
 <pre>script-src 'nonce-rAnd0m' 'strict-dynamic' https: 'self';default-src 'self';</pre>