From a4e3a84e824e4a425185884414354f1d37628bf0 Mon Sep 17 00:00:00 2001 From: Pete Freitag Date: Fri, 22 Mar 2024 13:05:13 -0400 Subject: [PATCH] Update csp for different regions --- netlify.toml | 2 +- www/examples/google-analytics.html | 3 +++ www/strict-dynamic.html | 9 +++++---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/netlify.toml b/netlify.toml index 1291b22..85510ee 100644 --- a/netlify.toml +++ b/netlify.toml @@ -6,7 +6,7 @@ [headers.values] X-Frame-Options = "DENY" X-XSS-Protection = "1; mode=block" - Content-Security-Policy = "default-src 'none'; script-src 'self' www.googletagmanager.com platform.twitter.com syndication.twitter.com static.ads-twitter.com 'sha256-ewTm8QMx/IkmbIFAIapvCHoCrGgIIHhn8qKC7/5Y2Ro=' 'unsafe-hashes' 'sha256-mplq9U9bn5xLaFQjbIOde0Eu7cXsI2xaTPex2jLztp0='; style-src 'self' cdnjs.cloudflare.com fonts.googleapis.com 'sha256-akbuxUDobAg86+TiT5p8TENoFqlhtGWtEqHedhVNujw='; font-src fonts.gstatic.com cdnjs.cloudflare.com; img-src 'self' syndication.twitter.com t.co analytics.twitter.com; frame-src platform.twitter.com; connect-src www.google-analytics.com" + Content-Security-Policy = "default-src 'none'; script-src 'self' www.googletagmanager.com platform.twitter.com syndication.twitter.com static.ads-twitter.com 'sha256-ewTm8QMx/IkmbIFAIapvCHoCrGgIIHhn8qKC7/5Y2Ro=' 'unsafe-hashes' 'sha256-mplq9U9bn5xLaFQjbIOde0Eu7cXsI2xaTPex2jLztp0='; style-src 'self' cdnjs.cloudflare.com fonts.googleapis.com 'sha256-akbuxUDobAg86+TiT5p8TENoFqlhtGWtEqHedhVNujw='; font-src fonts.gstatic.com cdnjs.cloudflare.com; img-src 'self' syndication.twitter.com t.co analytics.twitter.com; frame-src platform.twitter.com; connect-src *.google-analytics.com" [[redirects]] from = "/20*" diff --git a/www/examples/google-analytics.html b/www/examples/google-analytics.html index 9ae3d4d..5a2a8a0 100644 --- a/www/examples/google-analytics.html +++ b/www/examples/google-analytics.html @@ -39,3 +39,6 @@

How it works

  • connect-src www.google-analytics.com; - The connect-src policy allows google analytics to make a XHR (XMLHttpRequest, aka AJAX request) under the domain www.google-analytics.com in order to send the analytics data. We could also make this more restrictive by using the full url: https://www.google-analytics.com/g/collect in the policy. The risk in using the full url is that if Google ever changes the endpoint url, we would need to update our policy.

    • As you can see it is not terribly difficult to create a CSP policy that works with Google Analytics 4.

    +

    Google Analytics in Different Regions

    +

    We have found that in the EU region, google analytics may use a different endpoint, such as region1.google-analytics.com

    +

    In that case you may need to add region1.google-analytics.com to your connect-src policy, or you could potentially use *.google-analytics.com instead.

    \ No newline at end of file diff --git a/www/strict-dynamic.html b/www/strict-dynamic.html index 21b0ab8..2a143d6 100644 --- a/www/strict-dynamic.html +++ b/www/strict-dynamic.html @@ -37,10 +37,11 @@

    Dealing with Unsupported Browsers

    In fact you might see something like this in your developer tools console:

    - content security policy: ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
    - content security policy: ignoring “http:” within script-src: ‘strict-dynamic’ specified
    - content security policy: ignoring “https:” within script-src: ‘strict-dynamic’ specified
    - content security policy: ignoring “'unsafe-eval'” within script-src: ‘strict-dynamic’ specified + content security policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
    + content security policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
    + content security policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
    + content security policy: Ignoring “'unsafe-eval'” within script-src: ‘strict-dynamic’ specified
    + content security policy: Ignoring “'report-sample'” within script-src: ‘strict-dynamic’ specified

    So our script can be made backwards compatible by doing something like this:

    script-src 'nonce-rAnd0m' 'strict-dynamic' https: 'self';default-src 'self';