Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve CSP instructions #20

Closed
louh opened this issue Sep 22, 2020 · 3 comments
Closed

Improve CSP instructions #20

louh opened this issue Sep 22, 2020 · 3 comments

Comments

@louh
Copy link

louh commented Sep 22, 2020

Similar to #4, but CSP headers need to be added even if it's not served from a custom subdomain. I think these instructions should be much more upfront, maybe here: https://docs.plausible.io/plausible-script

In particular I think it would be helpful to note specifically which CSP policies need to be edited, and provide some examples. e.g.

Lax CSP (simple and future proof):

Content-Security-Policy: default-src 'self' *.plausible.io

Stricter CSP (more precise, but can break if the implementation is changed, like reporting back to a different subdomain) (the script-src and connect-src policies need to be merged with any other existing domains for those directives

Content-Security-Policy: default-src 'self'; script-src plausible.io; connect-src plausible.io

Thanks for your work on this, giving this service a try now with the hope of replacing GA.

@metmarkosaric
Copy link
Contributor

Thanks Lou! The reason we don't mention it much is because it doesn't seem to be a big problem for vast majority so didn't want to "clutter" the instructions with edge cases. Only heard from 2 people about CSP out of thousands who've used Plausible. Either most people don't use CSP or those that do are aware that they need to edit their policies for new services they add.

@divinerites
Copy link
Contributor

FYI in my plausible-hugo module, there is a dedicated partial for taking care of plausible in your CSP

@metmarkosaric
Copy link
Contributor

thanks! i've added a note about CSP with a link to this thread on our troubleshoot your integration docs page

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants