Google Analytics和Content-Security-Policy标头 [英] Google Analytics and Content-Security-Policy header
问题描述
这是我目前使用的Content-Security-Policy标头:
default-src'self'; script-src'self'https://ssl.google-analytics.com; img-src'self'http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif;
到目前为止,我已完成以下工作:
我为我的html添加了两个脚本标记:
< script src =/ js / google-analytics。 JS>< /脚本>
< script src =https://ssl.google-analytics.com/ga.jsasync =true>< / script>
google-analytics.js使用_setAccount和_trackPageview设置_gaq数组。
我将ga.js的域名添加到script-src中。
我注意到ga.js加载了两张图片,所以我将它们添加到img-src。
有什么我失踪的?谷歌会改变我的观点并解决所有这些问题吗?是否有任何官方建议?
-
您不需要图像的路径,只需要协议+主机+(隐含)端口
Firefox的CSP实现略有不同。对于旧版本,将
default-src
替换为 allow
。 Firefox支持 default-src
等于 allow
,但大多数仍然使用允许
直到它完全支持规范(不包括引用)。
The Content-Security-Policy HTTP header is meant to block inline script and resources from untrusted servers. However, the sample Google Analytics code snippet depends on both. What are the best practices in this area?
This is the Content-Security-Policy header that I'm currently using:
default-src 'self'; script-src 'self' https://ssl.google-analytics.com; img-src 'self' http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif;
So far, I've done the following:
I added two script tags to my html:
<script src="/js/google-analytics.js"></script>
<script src="https://ssl.google-analytics.com/ga.js" async="true"></script>
google-analytics.js sets up the _gaq array with _setAccount and _trackPageview.
I added the domain for ga.js to the script-src.
I noticed that ga.js was loading two images, so I added them to img-src.
Is there anything I'm missing? Will Google change things on me and break all of this? Is there any official recommendation?
This is mostly right:
You don't need the path to the image, just the protocol + host + (implied) port
Firefox differs slightly in its CSP implementation. For older versions, replace
default-src
withallow
. There was a cutoff where Firefox supporteddefault-src
as equal toallow
but most still implement withallow
until it fully supports the spec (no citation included).
这篇关于Google Analytics和Content-Security-Policy标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!