Can Content Security Policy be made compatible with Google Analytics and AdSense?

Question

Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site o

Answer 1

With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.

1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.

2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html

3.) Include the .js files as you normally include any file, but add a nonce:

The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)