diff --git a/app/__init__.py b/app/__init__.py
index 5b2c31e6d..17b5a4595 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -359,10 +359,10 @@ def useful_headers_after_request(response):
response.headers.add('X-XSS-Protection', '1; mode=block')
response.headers.add('Content-Security-Policy', (
"default-src 'self' 'unsafe-inline';"
- "script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;"
+ "script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
"object-src 'self';"
"font-src 'self' data:;"
- "img-src 'self' *.notifications.service.gov.uk data:;"
+ "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
))
if 'Cache-Control' in response.headers:
del response.headers['Cache-Control']
diff --git a/app/templates/admin_template.html b/app/templates/admin_template.html
index 08f4587b5..aa57f52d5 100644
--- a/app/templates/admin_template.html
+++ b/app/templates/admin_template.html
@@ -129,4 +129,12 @@
{% block body_end %}
+
{% endblock %}
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
index 8bf3d9d99..9f4ec9b80 100644
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -8,8 +8,8 @@ def test_owasp_useful_headers_set(app_):
assert response.headers['X-XSS-Protection'] == '1; mode=block'
assert response.headers['Content-Security-Policy'] == (
"default-src 'self' 'unsafe-inline';"
- "script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;"
+ "script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
"object-src 'self';"
"font-src 'self' data:;"
- "img-src 'self' *.notifications.service.gov.uk data:;"
+ "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
)