search

plausible / analytics

Simple, open source, lightweight (< 1 KB) and privacy-friendly web analytics alternative to Google Analytics.
https://plausible.io
GNU Affero General Public License v3.0
19.69k stars 1.05k forks source link

Refused to load the script 'https://plausible.io/js/script.js' because it violates the following Content Security Policy #2648

Closed nelsonic closed 1 year ago

nelsonic commented 1 year ago

Past Issues Searched

Issue is a Bug Report

Using official Plausible Cloud hosting or self-hosting?

Plausible Cloud from plausible.io

Describe the bug

We've tried adding the <script> tags to our the root.html template in our Phoenix App: https://github.com/dwyl/mvp/blob/e7b516dddd4679d6f14e7576f29c6e5fe2816348/lib/app_web/templates/layout/root.html.heex#L31-L35

It's deployed to: https://mvp.fly.dev But we get the following error:

image 
Refused to load the script 'https://plausible.io/js/script.js' 
because it violates the following Content Security Policy directive: 
"script-src 'self' https://cdnjs.cloudflare.com 'unsafe-eval' 'unsafe-inline'". 
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Have read your docs and googled a bunch and not found a solution.

Expected behavior

We would expect this to just work. But obviously that's naive. šŸ™„

Screenshots

No response

Environment

- OS: All.
- Browser: Any
- Browser Version: Latest
metmarkosaric commented 1 year ago

thanks for reporting @nelsonic! as your site has a content security policy, you would need to add our domain name plausible.io specifically to the allowed domains list in your CSP as otherwise our script will be blocked

nelsonic commented 1 year ago

@metmarkosaric thanks for your quick reply.
This is what we've been trying to do ... ā³

https://github.com/dwyl/mvp/blob/e7b516dddd4679d6f14e7576f29c6e5fe2816348/lib/app_web/templates/layout/root.html.heex#L5-L8

e.g:

<meta
  http-equiv="Content-Security-Policy"
  content="default-src *; style-src 'self' 'unsafe-inline'; 
  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://plausible.io; 
  script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://plausible.io "
/>

We've tried googling this and reading as many posts on the CSP topic as we could find. We were just hoping that someone else using plausible/analytics had faced this issue and there was already a well defined solution. šŸ¤ž

metmarkosaric commented 1 year ago

you're welcome! you can see here how others manage their CSP to put our domain on the allow list: https://github.com/plausible/docs/issues/20

nelsonic commented 1 year ago

Thanks for the link. Dunno why that didn't show up when we googled ... Trying:

Content-Security-Policy: default-src 'self'; script-src plausible.io; connect-src plausible.io

now. šŸ§‘ā€šŸ’» ā³

metmarkosaric commented 1 year ago

you're welcome! closing this as it looks like you have a fix. there's not much we can do from our side about CSPs as it depends on your setup

nelsonic commented 1 year ago

Thanks again @metmarkosaric šŸ‘Œ