Can Content Security Policy be made compatible with Google Analytics and AdSense?

Question

Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site o

Answer 1

Adsense

For Google adsense, e.g. this CSP "works":

Content-Security-Policy: frame-ancestors 'self';

It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.

But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.

One or the other:

• either Adsense
• either a restrictive CSP

But not both.

Analytics

is another matter, already covered in other replies. [not a user]

CSP policies

Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.

While writing policies it might be better to put a report-only one up first. The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only