A simple site to assist in fine tuning the CSP rules required for Google Analytics.
To determine the complete set of CSP rules required for Google Analytics to work for everybody, I have tested with a variety of browsers on both windows and macOS platforms.
The current CSP rules enforced are:
default-src 'none' ;
script-src 'self' www.googletagmanager.com www.google-analytics.com;
style-src 'self' www.googletagmanager.com www.google-analytics.com;
img-src 'self' www.googletagmanager.com www.google-analytics.com;
connect-src www.google-analytics.com;
upgrade-insecure-requests;
block-all-mixed-content;
| Chrome 69 | Firefox 62 | Opera 55 | Edge | Internet Explorer 11 | Safari 12 | |
|---|---|---|---|---|---|---|
| Windows 10 Pro (1803) | None reported | None reported | None reported | None reported | None reported | N/A |
| macOS Sierra (v10.12.6) | None reported | None reported | None reported | N/A | N/A | None reported |
Full source code for the website is on GitHub at: https://github.com/TheYorkshireDev/analytics-csp
You can find me on Twitter @TheYorkshireDev