django-analytical icon indicating copy to clipboard operation
django-analytical copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Javascript runs afoul of content security policy

Open SKisContent opened this issue 7 years ago • 4 comments

On sites that have a HTTP content security policy that is not "unsafe-inline", the analytics Javascript fails to execute. One solution would be to let users specify a string in the settings that is inserted into the

SKisContent avatar Jan 17 '18 08:01 SKisContent

Thanks for the notice, @SKisContent. What would be required specifically to work around this, can you give a bit more detail?

jcassee avatar Jan 18 '18 09:01 jcassee

One CSPs option is to add a nonce="xxx" attribute to the section into the rendered page HTML, it would need to do the value substitution on its own.

SKisContent avatar Jan 22 '18 17:01 SKisContent

Another solution would be to serve up a special view that served the normally inline code as a javascript file instead. (See, for instance, how Matomo/Piwik recommends serving a tracking.js file: https://matomo.org/faq/general/faq_20904/)

harrislapiroff avatar Apr 26 '18 23:04 harrislapiroff

django-csp has a context processor to inject nonce into render context and also can add it to response headers.

If analytics nodes could add a placeholder in their script template to handle this template variable it could be easy to use.

sevdog avatar May 21 '20 10:05 sevdog