diff --git a/app/__init__.py b/app/__init__.py
index 17df9f221..813aa3e41 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -167,7 +167,7 @@ def useful_headers_after_request(response):
response.headers.add('X-Content-Type-Options', 'nosniff')
response.headers.add('X-XSS-Protection', '1; mode=block')
response.headers.add('Content-Security-Policy',
- "default-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:;") # noqa
+ "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;") # noqa
if 'Cache-Control' in response.headers:
del response.headers['Cache-Control']
response.headers.add(
diff --git a/app/templates/admin_template.html b/app/templates/admin_template.html
index 666add0bb..8b773ce7c 100644
--- a/app/templates/admin_template.html
+++ b/app/templates/admin_template.html
@@ -83,4 +83,12 @@
{% block body_end %}
+
{% endblock %}
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
index bf6303f25..006855439 100644
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -6,4 +6,4 @@ def test_owasp_useful_headers_set(app_):
assert response.headers['X-Frame-Options'] == 'deny'
assert response.headers['X-Content-Type-Options'] == 'nosniff'
assert response.headers['X-XSS-Protection'] == '1; mode=block'
- assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:;" # noqa
+ assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;" # noqa