Google Analytics和Content-Security-Policy标头 [英] Google Analytics and Content-Security-Policy header

问题描述

Content-Security-Policy HTTP头旨在阻止来自不受信任的服务器的内联脚本和资源。不过，示例Google Analytics代码段取决于两者。什么是这方面的最佳做法？

这是我目前使用的Content-Security-Policy标头：

  default-src'self'; script-src'self'https://ssl.google-analytics.com; img-src'self'http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif; 
  

到目前为止，我已完成以下工作：

我为我的html添加了两个脚本标记：

 < script src =/ js / google-analytics。 JS>< /脚本> 
< script src =https://ssl.google-analytics.com/ga.jsasync =true>< / script> 
  

google-analytics.js使用_setAccount和_trackPageview设置_gaq数组。

我将ga.js的域名添加到script-src中。

我注意到ga.js加载了两张图片，所以我将它们添加到img-src。

有什么我失踪的？谷歌会改变我的观点并解决所有这些问题吗？是否有任何官方建议？

解决方案

1. 您不需要图像的路径，只需要协议+主机+（隐含）端口

Firefox的CSP实现略有不同。对于旧版本，将 default-src 替换为 allow 。 Firefox支持 default-src 等于 allow ，但大多数仍然使用允许直到它完全支持规范（不包括引用）。

The Content-Security-Policy HTTP header is meant to block inline script and resources from untrusted servers. However, the sample Google Analytics code snippet depends on both. What are the best practices in this area?

This is the Content-Security-Policy header that I'm currently using:

default-src 'self'; script-src 'self' https://ssl.google-analytics.com; img-src 'self'  http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif;

So far, I've done the following:

I added two script tags to my html:

<script src="/js/google-analytics.js"></script>
<script src="https://ssl.google-analytics.com/ga.js" async="true"></script>

google-analytics.js sets up the _gaq array with _setAccount and _trackPageview.

I added the domain for ga.js to the script-src.

I noticed that ga.js was loading two images, so I added them to img-src.

Is there anything I'm missing? Will Google change things on me and break all of this? Is there any official recommendation?

解决方案

This is mostly right:

1. You don't need the path to the image, just the protocol + host + (implied) port

2. Firefox differs slightly in its CSP implementation. For older versions, replace default-src with allow. There was a cutoff where Firefox supported default-src as equal to allow but most still implement with allow until it fully supports the spec (no citation included).

这篇关于Google Analytics和Content-Security-Policy标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！