15

I have the Content Security Policy:

default-src 'none';
style-src 'self';
script-src 'self' https://www.google-analytics.com;
img-src 'self' https://www.google-analytics.com;
connect-src 'self';

On my page I have put the inline GA code into an async script:

<script src="/javascript/ga.js" async></script>

This causes a CSP error:

Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZl…07Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJd2luZG93W2dhTmFtZV0gPSBnYTsKfSkoKTs=' because it violates the following Content Security Policy directive: "script-src 'self' https://www.google-analytics.com".

Is there any way to serve this script from a JS file, and if not how would I need to change the CSP?

Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
  • Might this be similar to this: http://stackoverflow.com/questions/41118558/what-is-the-correct-content-security-policy-for-google-analytics ? – Eike Pierstorff Dec 30 '16 at 15:25
  • @Eike I don't think it's much help sorry, have put a bounty on this question in hopes of getting an answer. – Tom Gullen Jan 05 '17 at 11:58
  • It logs the headers of the request, but not the URI. Can you log this please? By looking in the network tab – gr3g Jan 10 '17 at 10:13
  • Did you tried this : `script-src 'self' www.google-analytics.com;`? It is an example of the csp... https://content-security-policy.com/ – gr3g Jan 10 '17 at 10:21

2 Answers2

14

Google Analytics is CSP-compatible. The base64-encoded data: blob OP is seeing is being injected by the uBlock Origin extension. To verify, disable it/try incognito. IIRC, this is due to an "experimental/unbreak" setting in the extension.

Please resist the temptation to whitelist data: in script-src. That would make the policy completely useless for XSS mitigation, since an attacker could just inject <script src="data:text/javascript,alert(1)"></script> to execute Javascript.

Michele Spagnuolo
  • 942
  • 5
  • 14
7

Please see Michele Spagnuolo's answer and upvote.

This is caused by uBlock Origin and it is because data URLs are not whitelisted:

script-src data:;

There is no point in doing this as this could leave your application vulnerable should untrusted data be used as URLs anywhere within your application, or if the attacker can inject tags that use such URLs. This of course depends on the injection point and which characters are allowed.

Of course you should be whitelisting any user entered URLs (e.g. make sure they start with http:// or https://), however as CSP is defence-in-depth measure you probably don't want to weaken it too much.

The upshot is that you're weakening your CSP by doing this in order to prevent a CSP report or error from being triggered.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • This makes the policy completely useless for XSS mitigation, since an attacker could just inject: ```` to execute Javascript. – Michele Spagnuolo May 24 '17 at 20:20
  • Therein lies the flaw with CSP. Too hard to integrate post development and trouble is your third party addins are designed like this too meaning their implementation dilutes your CSP. – SilverlightFox May 24 '17 at 20:25
  • Ps. Why the downvote? I already mentioned that it weakens the policy. It's the difference between Analytics working vs it not. – SilverlightFox May 24 '17 at 20:28
  • Google Analytics does not need ``data:`` to be whitelisted in script-src to work. – Michele Spagnuolo May 26 '17 at 07:07
  • @MicheleSpagnuolo: Is that a recent change? What is the reason the OP and others get the error relating to `data` URLs? – SilverlightFox May 26 '17 at 15:07
  • Google Analytics has always been CSP compatible. The base64-encoded data: blob OP is seeing is being injected by the uBlock Origin extension. To verify, disable it/try incognito. IIRC, this is due to an "experimental/unbreak" setting in the extension. – Michele Spagnuolo May 28 '17 at 09:08
  • 1
    Thanks. Maybe you should add this as an answer then I'll delete mine? – SilverlightFox May 28 '17 at 10:07
  • This is dangerous and the correct answer is the one below which talks about uBlock. – rawpower Feb 01 '18 at 08:13
  • 1
    @rawpower: Thanks for reminding me to come back to this post after their answer. My answer updated. – SilverlightFox Feb 01 '18 at 10:03
  • So this CSP block can potentially be ignored and GA will still work? What's potentially annoying is that this would still flood any CSP report services with noise. – shennan Aug 10 '18 at 13:58