Google Analytics sends tracking in the country domain, so it is blocked by CSP

I insert analytics as follows:

<script type="text/javascript" async="" src="http://www.google-analytics.com/plugins/ua/linkid.js"></script> 

Then I added some Google domains to the CSP as follows:

 BrowserPolicy.content.allowScriptOrigin("*.google-analytics.com"); BrowserPolicy.content.allowImageOrigin("*.google.com"); 

This loads fine, however, as soon as Google Analytics tries to send some tracking information, it sometimes tries to download the image from google.pl (depending on location). Is there a way to make sure that only .com is used? I obviously cannot list all google domains in the CSP headers.

Exact error:

It is refused to download the image https://www.google.pl/blabla 'because it violates the following content security policy directive: "img-src data:' self ' http: //*.doubleclick.net https: // * .doubleclick.net http: //*.facebook.com https: //*.facebook.com http: //*.google.com https: //*.google.com http: //www.google-analytics .com https://www.google-analytics.com . "

If it is important, the frameworks used here are: Meteor 1.3.5.1 and browser policy package browser-policy@1.0.9

+6
source share
1 answer

One solution is to use Geo IP to try and guess the domain. You can probably always include .com and the country domain dynamically, but I doubt this is a reliable solution.

+1
source

All Articles