Can Content Security Policy be made compatible with Google Analytics and AdSense? - javascript

Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?
I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.
Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.
Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.
I posted to Google about a month ago about the incompatibility but no answer refuted that (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031).
The Stack Overflow answers at <Google Analytics and Content-Security-Policy header > do not indicate that anyone is getting within-website Analytics data and that thread is based on an outdated Google script.
The thread at <Google analytics.js and Content Security Policy > is for an app, not a website, no one there reported getting within-website Analytics data, and my efforts failed even with the maximally permissive CSP.
A solution is in the thread <Google analytics Universal code not tracking > but the solution is limited to setting CSP to reporting, not blocking, which is not of much use to me.
No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.
As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?

Adsense
For Google adsense, e.g. this CSP "works":
Content-Security-Policy: frame-ancestors 'self';
It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.
But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.
One or the other:
either Adsense
either a restrictive CSP
But not both.
Analytics
is another matter, already covered in other replies. [not a user]
CSP policies
Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.
While writing policies it might be better to put a report-only one up first.
The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only

No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...

Using below code works for me :
default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com;
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com;
style-src 'self' 'unsafe-inline';
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'

Or log all error with report-uri for add sources to your CSP.
JSON will POST to that URL (https://example.com/csp/log.php).
Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;

With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.
1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.
2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html
3.) Include the .js files as you normally include any file, but add a nonce:
<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>
The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)

Related

Twtich extension - Refused to connect to external API

I am working on a twitch extension and I have created an API externally for the app to connect to. I've had this error now for roughly two days and I can't seem to find a solution to it.
Refused to connect to 'https://community.shadowmont.com/oauth/GetUserProfileDetails' because it violates the following Content Security Policy directive: "connect-src 'self' https://lgqt8zmxwk4v3ubxobrmy8r2f49uc1.ext-twitch.tv https://api.twitch.tv wss://pubsub-edge.twitch.tv https://www.google-analytics.com https://stats.g.doubleclick.net".
The front end is JavaScript / HTML and it's trying to connect to an MVC5 API. I've Googled around for the answer and most posts say to add a meta-tag to the header, but no matter what I try, this does not solve the issue. I'm at a point now where I am not sure what to do.
One of the posts I found told me to add
<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:; default-src 'self' http://XX.XX.XX.XX:8084/mypp/">
But this didn't work.
You need to add any External Domains you connect to in the "Allowlist for URL Fetching Domains" in the Dev Console for your Extension. The same goes for External Media or Images.
Extensions utilise a CSP or Content Security Policy to control/limit/protect Extensions from connecting to unexpected things.
Twitch DOES NOT support the meta tag version of this, as it is less secure. It is overriden/set by the Twitch Extensions CDN Server Headers for security reasons.
To populate these parameters,
Visit the Developer Console.
Manage Your Extension
Manage the Version of the Extension you are working on
Click Capabilities
Scroll to Allowlist for URL Fetching Domains at the bottom.
Add in the URL's as needed.
Further reading
https://dev.twitch.tv/docs/extensions#restrictions-on-content
https://discuss.dev.twitch.tv/t/new-extensions-policy-for-content-security-policy-csp-directives-and-timeline-for-enforcement/33695/
For testing under local test there is this NodeJS Module which you can use as is or copy the relevant logic into your own local test system which will save you having to jump to hosted test/local test too much.

Disabling content security policy of a Web page via a Chrome Extension

I'm creating a Chrome Extension which modifies a script served by the server (which I have no control over) to add new functionality to the website, and I had the following idea:
Block the original script via WebRequest, webRequestBlocking.
Send the url of the blocked script to a script injected into the page.
GET this url from the page's script.
Edit a part of the code (string).
Eval the string.
(Another working way is to redirect it to a local modified script return { redirectUrl: chrome.extension.getURL("modified.js") };, inside the Chrome Extension folder, but then it's impossible to modify it on the fly, that's why I want to eval a modified script)
When I try to eval the string in the 5th step, it says: ...'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com".
I've tried to use webRequest.onHeadersReceived to see if I could alter CSP headers (as some answers suggested: Edit Content Security Policy in onHeadersReceived), but there is no "content-security-policy" header.
I can see a Content Security Policy meta tag (I've omitted everything except 'script-src'):
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com; base-uri 'none';">
From this answer (https://stackoverflow.com/a/27324485/10364842), Chrome Extensions cannot override CSP of Web pages. But someone replies: I know this is incredibly old, but I came across it while trying to inject Artoo.js into a page. The chrome extension does indeed allow you to modify the page you're looking at and let any content through.
Eval works in the content script, but I need to execute the script in the page's context, because it depends on the global scope.
I'm wondering if it's possible to alter CSP of a Web page through a Chrome Extension, or if there is any other way to accomplish this solely via a Chrome extension?
"Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load and resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.
You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax." https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy

Youtube player not working in the production build

I'm trying to implement a youtube player in my web application. For this i have used the following react library
react-youtube
https://github.com/troybetz/react-youtube
I have implemented it and working in the localhost without any issue. But it stops working in the production build. It gives out an error like the following
Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
What causes this and how can i fix this?
This is most likely because your production server is only allowing you to embed scripts which is coming from its own origin, or script-src 'self'.
This is done using the Content-Security-Policy either as a response header, HTML meta tag or manifest.json file. Please check with the network inspector where this CSP is set. If you are running on a CloudFront or other content network you need to configure it to allow it.
You need to extend this to allow YouTube, eg. extending it like script-src 'self' youtube.com;

Google adsense and content security policy [duplicate]

Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?
I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.
Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.
Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.
I posted to Google about a month ago about the incompatibility but no answer refuted that (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031).
The Stack Overflow answers at <Google Analytics and Content-Security-Policy header > do not indicate that anyone is getting within-website Analytics data and that thread is based on an outdated Google script.
The thread at <Google analytics.js and Content Security Policy > is for an app, not a website, no one there reported getting within-website Analytics data, and my efforts failed even with the maximally permissive CSP.
A solution is in the thread <Google analytics Universal code not tracking > but the solution is limited to setting CSP to reporting, not blocking, which is not of much use to me.
No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.
As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?
Adsense
For Google adsense, e.g. this CSP "works":
Content-Security-Policy: frame-ancestors 'self';
It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.
But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.
One or the other:
either Adsense
either a restrictive CSP
But not both.
Analytics
is another matter, already covered in other replies. [not a user]
CSP policies
Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.
While writing policies it might be better to put a report-only one up first.
The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only
No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...
Using below code works for me :
default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com;
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com;
style-src 'self' 'unsafe-inline';
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'
Or log all error with report-uri for add sources to your CSP.
JSON will POST to that URL (https://example.com/csp/log.php).
Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;
With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.
1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.
2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html
3.) Include the .js files as you normally include any file, but add a nonce:
<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>
The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)

How to block google ads from injecting JavaScript

Some google ads start injecting JavaScript and poping ads all over the screen
How can I block these random scripts that are injected through google ads?
This is not perfect, but it seems to be very effective in my case (all pages are SSL) and also prevent SSL mixed mode messages caused by google ads third party plugin scripts...
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; object-src 'none'">
Content-Security-Policy is critical to prevent mixed content errors
(too many errors can show a "connection not secure" by the browser and memory leaks)
https://blog.cloudflare.com/fixing-the-mixed-content-problem-with-automatic-https-rewrites and
How does Content Security Policy work?

Categories