content-security-policy vs. Google Analytics and AdSense #1765
Comments
@Nick-Levinson It's not (see example).
It is commented out. |
|
The example that's needed is of a website using it together with access into the website owner's Google account so the Analytics data can be displayed for all individual pages having Analytics code in the source (my Google Analytics account showed only the home page), because that would refute what I pointed out. The Google thread I linked to in the opening post has not been substantively updated in 3 weeks, thus Google is not claiming compatibility. You're right that in .htaccess CSP is commented out now but my point is that it has to stay that way (unless Analytics and AdSense are unimportant to a site) because even CSP default-src set to the wildcard prevents Analytics data from being displayed, and prevents Google's machines from seeing the Analytics code even when humans do see it, and prevents AdSense ads from appearing. |
|
Could we please reopen this with respect to the extend.md file? Since the example given was of how to write CSP and Google doesn't accept any CSP no matter how written, I opened an issue regarding .htaccess at server-configs-apache and mentioned extend.md but I don't know if they handle the latter. I'm going to try a pull request for another issue, but even if I succeed with that I don't want to do a PR on this if it's controversial until others have weighed in. Thanks. |
From: h5bp/server-configs-apache#90:
@Nick-Levinson The example that I gave you is from the |
|
Could you please cite any specific website that uses CSP and for which the owner reports getting Google Analytics data for most pages in the site? Can you cite one using CSP and on which an AdSense ad can be found? I hope you read the thread I linked to in my opening post; in four weeks, Google has not asserted that I'm wrong. I already read <.htaccess>, already knew of the CSP code in that file, and already tried variations including default-src with a wildcard. I don't know of any working example of a site as above. Perhaps it used to work. Perhaps the failure is only more recent. I think the failure of CSP to work with those two products is at least a couple of months old, based on my experience. It was Google's forum respondents who told me that CSP might be the problem and they turned out, so far, to be right. If you know of contrary examples of websites, please post at least one for each product. |
@Nick-Levinson I already did, https://html5boilerplate.com/.
Before I posted both of my previous comments, I also logged into H5BP's Google Analytics account to check / recheck that things still worked, and they where working properly.
For personal support requests, please use Stack Overflow. Thanks! |
Content Security Policy is incompatible with Google Analytics and Google AdSense. Even the default-src wildcard, which is intended to admit everything from everywhere, is insufficient permission. If either Google product is needed on a website, CSP must be disabled (e.g., commented out) from .htaccess site-wide applicability. I reported this to Google (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031). I did not test with a non-httpd server (I don't have one) or a meta tag (too many website pages).
This should be stated in .htaccess > Security > Content Security Policy (CSP) (regarding both Google products) and in extend.md > Google Universal Analytics (regarding Analytics only) and in a new section I propose, extend.md > Google AdSense.
The text was updated successfully, but these errors were encountered: