-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve CSP instructions #20
Comments
Thanks Lou! The reason we don't mention it much is because it doesn't seem to be a big problem for vast majority so didn't want to "clutter" the instructions with edge cases. Only heard from 2 people about CSP out of thousands who've used Plausible. Either most people don't use CSP or those that do are aware that they need to edit their policies for new services they add. |
FYI in my |
thanks! i've added a note about CSP with a link to this thread on our troubleshoot your integration docs page |
Similar to #4, but CSP headers need to be added even if it's not served from a custom subdomain. I think these instructions should be much more upfront, maybe here: https://docs.plausible.io/plausible-script
In particular I think it would be helpful to note specifically which CSP policies need to be edited, and provide some examples. e.g.
Lax CSP (simple and future proof):
Stricter CSP (more precise, but can break if the implementation is changed, like reporting back to a different subdomain) (the
script-src
andconnect-src
policies need to be merged with any other existing domains for those directivesThanks for your work on this, giving this service a try now with the hope of replacing GA.
The text was updated successfully, but these errors were encountered: