Google Analytics and Content-Security-Policy header

Question

The Content-Security-Policy HTTP header is meant to block inline script and resources from untrusted servers. However, the sample Google Analytics code snippet depends on bo

Answer 1

This is mostly right:

1. You don't need the path to the image, just the protocol + host + (implied) port

2. Firefox differs slightly in its CSP implementation. For older versions, replace default-src with allow. There was a cutoff where Firefox supported default-src as equal to allow but most still implement with allow until it fully supports the spec (no citation included).