CODEWITHSUNDEEP
javascriptgoogle-analyticshttp-headerscontent-security-policy
Tom Gullen
Tom Gullen

Reputation: 61719

Google Analytics Content Security Policy

I have the Content Security Policy:

default-src 'none';
style-src 'self';
script-src 'self' https://www.google-analytics.com;
img-src 'self' https://www.google-analytics.com;
connect-src 'self';

On my page I have put the inline GA code into an async script:

<script src="/javascript/ga.js" async></script>

This causes a CSP error:

Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZl…07Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJd2luZG93W2dhTmFtZV0gPSBnYTsKfSkoKTs=' because it violates the following Content Security Policy directive: "script-src 'self' https://www.google-analytics.com".

Is there any way to serve this script from a JS file, and if not how would I need to change the CSP?

Upvotes: 15

Views: 5007

Answers (2)

SilverlightFox
SilverlightFox

Reputation: 33538

Please see Michele Spagnuolo's answer and upvote.

This is caused by uBlock Origin and it is because data URLs are not whitelisted:

script-src data:;

There is no point in doing this as this could leave your application vulnerable should untrusted data be used as URLs anywhere within your application, or if the attacker can inject tags that use such URLs. This of course depends on the injection point and which characters are allowed.

Of course you should be whitelisting any user entered URLs (e.g. make sure they start with http:// or https://), however as CSP is defence-in-depth measure you probably don't want to weaken it too much.

The upshot is that you're weakening your CSP by doing this in order to prevent a CSP report or error from being triggered.

Upvotes: 7

Michele Spagnuolo
Michele Spagnuolo

Reputation: 932

Google Analytics is CSP-compatible. The base64-encoded data: blob OP is seeing is being injected by the uBlock Origin extension. To verify, disable it/try incognito. IIRC, this is due to an "experimental/unbreak" setting in the extension.

Please resist the temptation to whitelist data: in script-src. That would make the policy completely useless for XSS mitigation, since an attacker could just inject <script src="data:text/javascript,alert(1)"></script> to execute Javascript.

Upvotes: 14

Related Questions