From 0cda62465793c2d70270e3c73ce56d42136dd894 Mon Sep 17 00:00:00 2001
From: Chris Hill-Scott <me@quis.cc>
Date: Fri, 18 Mar 2016 14:49:53 +0000
Subject: [PATCH] Add Google Analytics
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://www.pivotaltracker.com/story/show/115861923

Makes some changes to the content security policy, to allow
the Google Analytics JS and trakcing image to be loaded,
copied from @alexmuller’s excellent work on GOV.UK:

https://gdstechnology.blog.gov.uk/2015/02/12/experimenting-with-content-security-policy-on-gov-uk/
https://github.com/alphagov/frontend/pull/733
---
 app/__init__.py                      | 2 +-
 app/templates/admin_template.html    | 8 ++++++++
 tests/app/main/views/test_headers.py | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 076889b6b..2eedaf0b5 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -161,7 +161,7 @@ def useful_headers_after_request(response):
     response.headers.add('X-Content-Type-Options', 'nosniff')
     response.headers.add('X-XSS-Protection', '1; mode=block')
     response.headers.add('Content-Security-Policy',
-                         "default-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:;")  # noqa
+                         "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;")  # noqa
     if 'Cache-Control' in response.headers:
         del response.headers['Cache-Control']
     response.headers.add(
diff --git a/app/templates/admin_template.html b/app/templates/admin_template.html
index 666add0bb..8b773ce7c 100644
--- a/app/templates/admin_template.html
+++ b/app/templates/admin_template.html
@@ -83,4 +83,12 @@
 
 {% block body_end %}
   <script type="text/javascript" src="{{ asset_url('javascripts/all.js') }}" /></script>
+  <script>
+    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+    })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+    ga('create', 'UA-75215134-1', 'auto');
+    ga('send', 'pageview');
+  </script>
 {% endblock %}
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
index bf6303f25..006855439 100644
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -6,4 +6,4 @@ def test_owasp_useful_headers_set(app_):
     assert response.headers['X-Frame-Options'] == 'deny'
     assert response.headers['X-Content-Type-Options'] == 'nosniff'
     assert response.headers['X-XSS-Protection'] == '1; mode=block'
-    assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:;"  # noqa
+    assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;"  # noqa