Umami analytics blocked unless CSP is modified

[arichtman]

Bug Report

I'm not sure if we should handle this by default, since it is messing with security. So I'm filing this in case we should handle it.

If you like I can revert my website so you can see it for yourself.

I was able to get my analytics working again using this - so it's not totally fatal. I'm not sure if the font-src and img-src are related to Umami.

allowed_domains = [
    { directive = "connect-src", domains = ["api-gateway-eu.umami.dev"]},
    { directive = "font-src", domains = ["'self'", "data:"] },
    { directive = "img-src", domains = ["'self'", "data:"] },
]

Environment

Zola version: 0.18.0 tabi version or commit: ba5acca7340a940092a9be196302b01441617720 Website: https://github.com/arichtman/www.richtman.au

Expected Behavior

Tell us what should have happened.

Umami's analytics script should be pulled and sending data.

Current Behavior

Tell us what happens instead of the expected behavior.

Content Security Policy blocks a call to https://api-gateway-eu.umami.dev.

Step to Reproduce

Please provide the steps to reproduce the issue.

Set the following in config.toml

[extra.analytics]
service = "umami"
id = "$MY_KEY"

[welpo]

Thanks for the report!

I try to handle CSP for tabi features automatically, so this would be a bug.

The code that generates CSP is here.

I believe the issue should disappear if we add the api gateway URL to connect-src (after line 27).

Would you like to test this fix and do a PR?