Analytics
5.2K members online now
5.2K members online now
Dive into multiple domain (Cross/Sub) tracking, implementing Ecommerce and Enhanced Ecommerce, setting up Event tracking, and Universal Analytics code.
 
Guide Me
star_border
Reply

content-security-policy and Analytics and likely AdSense incompatible

Follower ✭ ✭ ☆
# 1
Follower ✭ ✭ ☆

Content Security Policy does not coexist with Analytics and, it seems, not with AdSense, either. Until I commented CSP out of my .htaccess file, I found no CSP configuration that worked with these Google products on my website. Not even with the most permissive CSP, with default-src set to the asterisk wildcard, would Google see that I had installed Analytics and AdSense code on most of my pages. Only when I commented all of it out did ads start appearing and have I found Analytics data that is not limited to data about my home page. This means that I don't have CSP for any purpose, which leaves my site more vulnerable than it should be. And, if I turn it back on (decomment it), there's apparently no longer any way to ask Google to look for the Analytics code at my request. Since CSP is recommended by various people for various purposes but no Google help page about either product mentions it (to my recollection), I wonder where the problem may be residing.

1 Expert replyverified_user

Re: content-security-policy and Analytics and likely AdSense incompati

Top Contributor
# 2
Top Contributor
Hi Nick :-)

I dont have any familiarity with Adsense and limited familiarity with CSP
As far as analytics goes, I would think the following would work:
Content-Security-Policy: script-src 'self' https://www.google-analytics.com;

Rather than using the htaccess file, have you considered using a meta tag on each page?

For further reading:
http://content-security-policy.com/
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
Bronwyn Vourtis, Google Analytics Top Contributor
Was my response helpful? If yes, please mark it as the ‘Best Answer.’ Learn how here

Re: content-security-policy and Analytics and likely AdSense incompati

Follower ✭ ✭ ☆
# 3
Follower ✭ ✭ ☆

Yes, I tried script-src self as recently as last December 5 and script-src www.google-analytics.com the day before. I tried both of them for the general browser case as well as for Firefox and WebKit, all with the required quotation marks. I also tried default-src with the wildcard and if that doesn't work I doubt anything will. I didn't try meta tags because I have too many pages to have to edit each one by hand whenever I have a change, at least until Google announces that it will support meta CSP tags even while not supporting .htaccess for CSP. The content-security-policy.com home page has nothing additional on Analytics and nothing at all on AdSense and the HTML5Rocks page has nothing on either product. I also brought it up at my host and they had no different advice.