Content-Security-Policy Warnings

[jamesarosen]

As noted in the README, this addon uses contentFor to inject a <script>...</script> into the HTML. Content-Security-Policy v2 requires all such tags have a cryptographic signature. See https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage

Would it be possible to do one of the following?

1. Move the setup code into a generated module in vendor.js or its own google-analytics.js.
2. In the config callback, modify config.contentSecurityPolicy['script-src'] (if it exists), adding the signature.

The second option requires adding a dependency on a crypto library (build-time concern, not in the generated JS).

In either case, you could move the configuration (UA-XXXX-Y) into a <meta> tag in the HTML and pull it off there in the JS.

See also rwjblue/ember-cli-content-security-policy#67

[jamesarosen]

One option would be

1. use contentFor to inject <meta name="ga-web-property-id" content="UA-XXXX-Y" /> and <script async src='https://www.google-analytics.com/analytics.js'></script> into the <head> tag
2. add the window.ga setup (pulling the value from the <meta /> tag) to vendor.js

I'm happy to put together a PR if you like this idea.

[gauthierm]

I do not believe Google Analytics provides the proper server-side CORS headers to enable this feature. If hashes are enabled the browser will complain the CORS header is missing.

[jamesarosen]

The version of the Google Analytics tracker I use doesn't use CORS to do tracking. It uses the old 1-pixel image trick to request things like GET https://www.google-analytics.com/collect?....

But maybe I'm just unfamiliar with part of the CSP process. Does the browser try to make a cross-origin XHR request to get security configuration if the <script> has a security hash?