Merge pull request #1612 from alphagov/fix-analytics-csp

Stop content security policy blocking GA
2026-06-19 04:36:32 -04:00 · 2017-11-06 10:45:51 +00:00
parent 98c8ddca38 1d10ad2247
commit db8f7032fe
2 changed files with 2 additions and 0 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -441,6 +441,7 @@ def useful_headers_after_request(response):
    response.headers.add('Content-Security-Policy', (
        "default-src 'self' 'unsafe-inline';"
        "script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
+        "connect-src 'self' *.google-analytics.com;"
        "object-src 'self';"
        "font-src 'self' data:;"
        "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk {} data:;"
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -10,6 +10,7 @@ def test_owasp_useful_headers_set(client, mocker):
    assert response.headers['Content-Security-Policy'] == (
        "default-src 'self' 'unsafe-inline';"
        "script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
+        "connect-src 'self' *.google-analytics.com;"
        "object-src 'self';"
        "font-src 'self' data:;"
        "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk static-logos.test.com data:;"