Can Content Security Policy be made compatible wit

2019-03-19 10:16发布

Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?

I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.

Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.

Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.

No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.

As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?

5条回答
看我几分像从前
2楼-- · 2019-03-19 10:47

Using below code works for me :

default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com; 
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com; 
style-src 'self' 'unsafe-inline'; 
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'
查看更多
爷的心禁止访问
3楼-- · 2019-03-19 10:56

Adsense

For Google adsense, e.g. this CSP "works":

Content-Security-Policy: frame-ancestors 'self';

It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.

But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.

One or the other:

  • either Adsense
  • either a restrictive CSP

But not both.

Analytics

is another matter, already covered in other replies. [not a user]

CSP policies

Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.

While writing policies it might be better to put a report-only one up first. The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only

查看更多
劫难
4楼-- · 2019-03-19 11:00

With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.

1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.

2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html

3.) Include the .js files as you normally include any file, but add a nonce:

<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>

The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)

查看更多
混吃等死
5楼-- · 2019-03-19 11:11

No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...

查看更多
孤傲高冷的网名
6楼-- · 2019-03-19 11:12

Or log all error with report-uri for add sources to your CSP.

JSON will POST to that URL (https://example.com/csp/log.php).

Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;
查看更多
登录 后发表回答