csp-report-to-google-analytics

Content-Security-Policy(CSP) report to Google Analytics.

Usage

This library should be used with analytics.js. This library does not work with gtag.js. Please see gtag.js API? · Issue #202 · googleanalytics/autotrack.

You can load this library from unpkg CDN.

• https://unpkg.com/csp-report-to-google-analytics/dist/csp-report-to-google-analytics.min.js

<!-- Google Analytics -->
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-XXXXX-Y', 'auto');
ga('send', 'pageview');
// require csp-report-to-google-analytics plugin
ga('require', 'csp-report');
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<!-- End Google Analytics -->
<!-- Load csp-report-to-google-analytics plugin -->
<script async src='https://unpkg.com/csp-report-to-google-analytics/dist/csp-report-to-google-analytics.min.js'></script>

You have already introduced analytics.js, then add these to existing analytic setting.

• ga('require', 'csp-report');
• <script async src='https://unpkg.com/csp-report-to-google-analytics/dist/csp-report-to-google-analytics.min.js'></script>

CSP

You need to enable CSP on your site.

The Content-Security-Policy-Report-Only HTTP Header is useful to found mixed contents on your site.

Content-Security-Policy-Report-Only: default-src https:;

Also, <meta> tag can enable Content-Security-Policy, but <meta> tag does not support ``Content-Security-Policy-Report-Only` header.

<!-- Work -->
<meta http-equiv="Content-Security-Policy" content="default-src https:">
<!-- Not Work -->
<meta http-equiv="Content-Security-Policy-Report-Only" content="default-src https:">

For more information about CSP, see Content Security Policy CSP Reference & Examples.

Tips

You should allow to http://www.google-analytics.com/* on HTTP site. Google Analytics use HTTP

Content-Security-Policy-Report-Only: default-src https: http://www.google-analytics.com/* 'unsafe-eval' 'unsafe-inline';

Options

• debug: boolean
  • Default: false

ga('require', 'csp-report', {
    debug: true
});

Default field values

Field	Value
hitType	'pageview'
eventCategory	'CSP Report'
eventAction	SecurityPolicyViolationEvent.violatedDirective
eventLabel	SecurityPolicyViolationEvent.blockedURI
nonInteraction	true

Example

efcl.info introduce this plugin:

• Add CSP report by azu · Pull Request #158 · efcl/efcl.github.io

Results:

Changelog

See Releases page.

Contributing

Pull requests and stars are always welcome.

For bugs and feature requests, please create an issue.

1. Fork it!
2. Create your feature branch: git checkout -b my-new-feature
3. Commit your changes: git commit -am 'Add some feature'
4. Push to the branch: git push origin my-new-feature
5. Submit a pull request :D

Author

• github/azu
• twitter/azu_re

License

MIT © azu