I insert analytics as follows:
<script type="text/javascript" async="" src="http://www.google-analytics.com/plugins/ua/linkid.js"></script>
Then I added some Google domains to the CSP as follows:
BrowserPolicy.content.allowScriptOrigin("*.google-analytics.com"); BrowserPolicy.content.allowImageOrigin("*.google.com");
This loads fine, however, as soon as Google Analytics tries to send some tracking information, it sometimes tries to download the image from google.pl (depending on location). Is there a way to make sure that only .com is used? I obviously cannot list all google domains in the CSP headers.
Exact error:
It is refused to download the image https://www.google.pl/blabla 'because it violates the following content security policy directive: "img-src data:' self ' http: //*.doubleclick.net https: // * .doubleclick.net http: //*.facebook.com https: //*.facebook.com http: //*.google.com https: //*.google.com http: //www.google-analytics .com https://www.google-analytics.com . "
If it is important, the frameworks used here are: Meteor 1.3.5.1 and browser policy package browser-policy@1.0.9
One solution is to use Geo IP to try and guess the domain. You can probably always include .com and the country domain dynamically, but I doubt this is a reliable solution.