Add guidance for Content-Security-Policy

digital-analytics-program / gov-wide-code

Provides a set of javascript files and documentation to implement web analytics on US federal websites

http://www.digital.gov/dap

100 stars 50 forks source link

Add guidance for Content-Security-Policy #107

Closed levinmr closed 2 months ago

raybaxter commented 2 months ago

This guidance is insufficient for a working implementation.

Universal-Federated-Analytics injects a script tag with src "https://www.google-analytics.com/analytics.js" without including the nonce and initiates at least 2 POST requests to https://www.google-analytics.com/.

levinmr commented 2 months ago

This guidance is insufficient for a working implementation.

Universal-Federated-Analytics injects a script tag with src "https://www.google-analytics.com/analytics.js" without including the nonce and initiates at least 2 POST requests to https://www.google-analytics.com/.

You're right. I've updated the guidance to be more accurate.

levinmr commented 2 months ago

@raybaxter please review