The Content-Security-Policy HTTP header is meant to block inline script and resources from untrusted servers. However, the sample Google Analytics code snippet depends on both. What are the best practices in this area?

This is the Content-Security-Policy header that I'm currently using:

default-src 'self'; script-src 'self' https://ssl.google-analytics.com; img-src 'self'  http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif;

So far, I've done the following:

I added two script tags to my html:

<script src="/js/google-analytics.js"></script>
<script src="https://ssl.google-analytics.com/ga.js" async="true"></script>

google-analytics.js sets up the _gaq array with _setAccount and _trackPageview.

I added the domain for ga.js to the script-src.

I noticed that ga.js was loading two images, so I added them to img-src.

Is there anything I'm missing? Will Google change things on me and break all of this? Is there any official recommendation?

This is mostly right:

1. You don't need the path to the image, just the protocol + host + (implied) port

2. Firefox differs slightly in its CSP implementation. For older versions, replace default-src with allow. There was a cutoff where Firefox supported default-src as equal to allow but most still implement with allow until it fully supports the spec (no citation included).