Google Analytics 和 Content-Security-Policy 标头 [英] Google Analytics and Content-Security-Policy header
问题描述
Content-Security-Policy HTTP 标头旨在阻止来自不受信任服务器的内联脚本和资源.但是,示例 Google Analytics 代码段取决于两者.这方面的最佳做法是什么?
The Content-Security-Policy HTTP header is meant to block inline script and resources from untrusted servers. However, the sample Google Analytics code snippet depends on both. What are the best practices in this area?
这是我目前使用的 Content-Security-Policy 标头:
This is the Content-Security-Policy header that I'm currently using:
default-src 'self'; script-src 'self' https://ssl.google-analytics.com; img-src 'self' http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif;
到目前为止,我已经完成了以下工作:
So far, I've done the following:
我在我的 html 中添加了两个脚本标签:
I added two script tags to my html:
<script src="/js/google-analytics.js"></script>
<script src="https://ssl.google-analytics.com/ga.js" async="true"></script>
google-analytics.js 使用 _setAccount 和 _trackPageview 设置 _gaq 数组.
google-analytics.js sets up the _gaq array with _setAccount and _trackPageview.
我将 ga.js 的域添加到 script-src 中.
I added the domain for ga.js to the script-src.
我注意到 ga.js 正在加载两个图像,所以我将它们添加到 img-src.
I noticed that ga.js was loading two images, so I added them to img-src.
有什么我遗漏的吗?谷歌会改变我的一切并打破这一切吗?有官方推荐吗?
Is there anything I'm missing? Will Google change things on me and break all of this? Is there any official recommendation?
推荐答案
这大部分是正确的:
你不需要图片的路径,只需要协议+主机+(隐含的)端口
You don't need the path to the image, just the protocol + host + (implied) port
Firefox 的 CSP 实现略有不同.对于旧版本,将 default-src 替换为 allow.有一个截止点,Firefox 支持 default-src 等于 allow 但大多数仍然使用 allow 实现,直到它完全支持规范(没有引用包括在内).
Firefox differs slightly in its CSP implementation. For older versions, replace default-src with allow. There was a cutoff where Firefox supported default-src as equal to allow but most still implement with allow until it fully supports the spec (no citation included).
这篇关于Google Analytics 和 Content-Security-Policy 标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
