Skip to content

Does csp_extra works correctly? #61

Description

@slinkinone

I tried to integrate Google Analytics on website. Here is a part of _config.yml:

style: light # dark (default), light, hacker, or nord
#listen_for_clients_preferred_style: true
disable_google_fonts: true

#
tracking:
  script_src:
    - https://www.googletagmanager.com/gtag/js?id=G-0000000000
  async: true
  defer: false
  # Optional inline init snippet (requires CSP allowance if used)
  init: |
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag('js', new Date());
    gtag('config', 'G-0000000000');

csp_extra: "script-src 'self' https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com; img-src 'self' https://www.google-analytics.com;"

On website I see the following code:

<!DOCTYPE html>
<html lang="en"><meta http-equiv="Content-Security-Policy" content="default-src 'none';
connect-src 'self';
base-uri 'self';
form-action 'none';
img-src 'self' https: data:;
style-src 'self' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com data:;
media-src 'self';
object-src 'none';
child-src 'self';
script-src 'self'; script-src 'self' https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com; img-src 'self' https://www.google-analytics.com;" />
<meta http-equiv="X-XSS-Protection"  content="1;mode=block" always>
<meta http-equiv="Referrer-Policy" content="no-referrer, strict-origin-when-cross-origin"><head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
  <meta name="color-scheme" content="dark light"><meta name="keywords" content="dpi, deep packet inspection, traffic classification, nta, network traffic analyzer, integration solution, network monitor, dpi framework, dpi library, dpi engine, industrial dpi, sl dc engine, dc engine"><!--<title>/</title>-->
  <title>slinkin-tech:/</title>

  <!-- Begin Jekyll SEO tag v2.8.0 -->
<title>/ | slinkin-tech</title>
<meta name="generator" content="Jekyll v3.10.0" />
<meta property="og:title" content="/" />
<meta property="og:locale" content="en_US" />
<meta name="description" content="Network software - network traffic analysis, internet service classification, metadata extraction." />
<meta property="og:description" content="Network software - network traffic analysis, internet service classification, metadata extraction." />
<link rel="canonical" href="https://txt.slinkin.tech/" />
<meta property="og:url" content="https://txt.slinkin.tech/" />
<meta property="og:site_name" content="slinkin-tech" />
<meta property="og:image" content="https://txt.slinkin.tech/assets/img/logo.png" />
<meta property="og:type" content="website" />
<meta name="twitter:card" content="summary_large_image" />
<meta property="twitter:image" content="https://txt.slinkin.tech/assets/img/logo.png" />
<meta property="twitter:title" content="/" />
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"WebSite","description":"Network software - network traffic analysis, internet service classification, metadata extraction.","headline":"/","image":"https://txt.slinkin.tech/assets/img/logo.png","name":"slinkin-tech","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://txt.slinkin.tech/assets/img/favicon.png"}},"url":"https://txt.slinkin.tech/"}</script>
<!-- End Jekyll SEO tag -->


  <link rel="shortcut icon" type="image/x-icon" href="/assets/img/favicon.ico"><link rel="stylesheet" type="text/css" href="/assets/main-light.css"><link rel="stylesheet" href="/assets/css/style.css"><script async src="https://www.googletagmanager.com/gtag/js?id=G-0000000000"></script><script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-0000000000');

</script></head>

And console log errors:

Ignoring duplicate Content-Security-Policy directive 'script-src'.
(index):12 Ignoring duplicate Content-Security-Policy directive 'connect-src'.
(index):12 Ignoring duplicate Content-Security-Policy directive 'img-src'.
(index):1 Loading the script 'https://www.googletagmanager.com/gtag/js?id=G-0000000000' violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.
(index):41 Executing inline script violates the following Content Security Policy directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-fTmxqANnNCLMx8xX0gnBUUfr27aNCNTxwtbwqLrhoIc='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
8Applying inline style violates the following Content Security Policy directive 'style-src 'self' <URL>'. Either the 'unsafe-inline' keyword, a hash ('sha256-6l+tpow5lGPV0MHWZlDv8nD7HrL77FGFldqQ7zc5gxY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. The action has been blocked.

I didn't find a way for valid Google Tag initing. How to do that properly? ( I replace real google tag with 0000000000, but on website it is real)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions