Update content security policy

- need to include google analytics domain because initialising GA involves a call to append a new script onto the DOM and run it
alphagov · Oct 22, 2020 · 73cc9ff · 73cc9ff
1 parent 31c9395
commit 73cc9ff
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -16,7 +16,8 @@
 
   # we're also setting a nonce, which will cause browsers which
   # support nonces to ignore the :unsafe_inline directive.
-  policy.script_src      :self, :unsafe_inline
+  policy.script_src      :self, :unsafe_inline, "https://www.google-analytics.com"
+  policy.img_src         :self, "https://www.google-analytics.com"
 
   # Specify URI for violation reports
   # policy.report_uri "/csp-violation-report-endpoint"