Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix bug 842557 and bug 842564: Cull CSP and move GA to external JS file.

  • Loading branch information...
commit 12dd259c38b93568aa792bb21c850dfab39b522f 1 parent 3cac58a
@Osmose Osmose authored
View
16 flicks/base/static/js/ga.js
@@ -0,0 +1,16 @@
+var _gaAccountCode = document.documentElement.getAttribute('data-ga-code');
+
+var _gaq = _gaq || [];
+_gaq.push(['_setAccount', _gaAccountCode]);
+_gaq.push(['_trackPageview']);
+
+if (_gaAccountCode) {
+ (function() {
+ var ga = document.createElement('script');
+ ga.type = 'text/javascript';
+ ga.async = true;
+ ga.src = 'https://ssl.google-analytics.com/ga.js';
+ var s = document.getElementsByTagName('script')[0];
+ s.parentNode.insertBefore(ga, s);
+ })();
+}
View
19 flicks/base/templates/bare.html
@@ -5,7 +5,7 @@
{% endif %}
<!DOCTYPE html>
-<html lang="{{ LANG }}" dir="{{ DIR }}" class="{{ LANG }} {{ DIR }}">
+<html lang="{{ LANG }}" dir="{{ DIR }}" class="{{ LANG }} {{ DIR }}" data-ga-code="{{ settings.GA_ACCOUNT_CODE }}">
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
@@ -34,22 +34,7 @@
<link rel="shortcut icon" type="image/png" href="{{ static('img/favicon.png') }}">
{% block google_analytics %}
- <script>
- var _gaq = _gaq || [];
- _gaq.push(['_setAccount', '{{ settings.GA_ACCOUNT_CODE }}']);
- _gaq.push(['_trackPageview']);
-
- {% if settings.GA_ACCOUNT_CODE %}
- (function() {
- var ga = document.createElement('script');
- ga.type = 'text/javascript';
- ga.async = true;
- ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
- var s = document.getElementsByTagName('script')[0];
- s.parentNode.insertBefore(ga, s);
- })();
- {% endif %}
- </script>
+ {{ js('google_analytics') }}
{% endblock %}
</head>
<body class="{{ page_type }}"{% block body_data %}{% endblock %}>
View
4 flicks/base/templates/base.html
@@ -1,7 +1,7 @@
{% extends 'bare.html' %}
{% block site_css %}
- <link rel="stylesheet" media="all" type="text/css" href="//www.mozilla.org/tabzilla/media/css/tabzilla.css">
+ <link rel="stylesheet" media="all" type="text/css" href="https://www.mozilla.org/tabzilla/media/css/tabzilla.css">
{{ css('flicks_css') }}
{% endblock %}
@@ -75,5 +75,5 @@
{{ js('jquery') }}
{{ js('browserid') }}
{{ js('flicks_js') }}
- <script src="//www.mozilla.org/tabzilla/media/js/tabzilla.js"></script>
+ <script src="https://www.mozilla.org/tabzilla/media/js/tabzilla.js"></script>
{% endblock %}
View
40 flicks/settings/base.py
@@ -110,56 +110,27 @@ def _allowed_hosts():
# Django-CSP
CSP_IMG_SRC = ("'self'",
'data:',
- 'https://d3fenhwk93s16g.cloudfront.net',
- 'https://www.gravatar.com',
- 'https://secure.gravatar.com',
- 'http://www.google-analytics.com',
- 'https://ssl.google-analytics.com',
- 'http://*.mozilla.org',
+ 'https://*.gravatar.com',
+ 'https://*.google-analytics.com',
'https://*.mozilla.org',
- 'http://*.mozilla.net',
'https://*.mozilla.net',)
CSP_STYLE_SRC = ("'self'",
- 'https://fonts.googleapis.com',
- 'http://*.mozilla.org',
'https://*.mozilla.org',
- 'http://*.mozilla.net',
'https://*.mozilla.net',
- 'http://*.vimeo.com',
'https://*.vimeo.com',)
CSP_FONT_SRC = ("'self'",
- 'https://themes.googleusercontent.com',
- 'http://*.mozilla.org',
'https://*.mozilla.org',
- 'http://*.mozilla.net',
'https://*.mozilla.net',)
CSP_SCRIPT_SRC = ("'self'",
- 'http://login.persona.org',
'https://login.persona.org',
- 'https://platform.twitter.com',
- 'https://connect.facebook.net',
- 'http://www.google-analytics.com',
- 'https://ssl.google-analytics.com',
- 'http://*.mozilla.org',
+ 'https://*.google-analytics.com',
'https://*.mozilla.org',
- 'http://*.mozilla.net',
- 'https://*.mozilla.net',
- 'http://*.vimeo.com',
- 'https://*.vimeo.com',
- 'https://*.vimeocdn.com',)
+ 'https://*.mozilla.net',)
CSP_FRAME_SRC = ("'self'",
'https://vid.ly',
- 'http://platform.twitter.com',
- 'https://platform.twitter.com',
- 'https://www.facebook.com',
- 'http://*.vimeo.com',
'https://*.vimeo.com',
'https://*.vimeocdn.com',
- 'http://login.persona.org',
'https://login.persona.org',)
-CSP_ALLOW = ("'self'",
- 'https://*.vimeo.com')
-CSP_OPTIONS = ('eval-script', 'inline-script')
# Activate statsd patches to time database and cache hits.
STATSD_PATCHES = [
@@ -220,6 +191,9 @@ def _allowed_hosts():
'jquery': (
'js/libs/jquery-1.7.1.min.js',
),
+ 'google_analytics': (
+ 'js/ga.js',
+ ),
'browserid': (
'browserid/browserid.js',
),
2  vendor-local/src/django-csp
@@ -1 +1 @@
-Subproject commit 149e2662417dced1661abdbde84fb0562d0c0dbc
+Subproject commit 55458eda0b120d397f0b45f7e50ddc24263202d8

4 comments on commit 12dd259

@bensternthal

Michael:

It is my understanding that loading GA via a script tag will cause some features not to work and that it must be loaded inline. See bedrocks implementation.

@Osmose
Owner

@bensternthal See https://bugzilla.mozilla.org/show_bug.cgi?id=837166 for a discussion on why GA in an external script doesn't break anything, but might result in inaccurate metrics for some edge cases. @pmclanahan and I talked about it after reading that and decided that loading an external JS file with the GA code at the end of the <head> is the best compromise between timing and still allowing meaningful CSP.

@pmclanahan
Owner

@bensternthal yeah. What @Osmose said. We're going to need to do the same on bedrock at some point.

@bensternthal

Got it and understood.

Please sign in to comment.
Something went wrong with that request. Please try again.