Improve CSP instructions

[louh]

Similar to #4, but CSP headers need to be added even if it's not served from a custom subdomain. I think these instructions should be much more upfront, maybe here: https://docs.plausible.io/plausible-script

In particular I think it would be helpful to note specifically which CSP policies need to be edited, and provide some examples. e.g.

Lax CSP (simple and future proof):

Content-Security-Policy: default-src 'self' *.plausible.io

Stricter CSP (more precise, but can break if the implementation is changed, like reporting back to a different subdomain) (the script-src and connect-src policies need to be merged with any other existing domains for those directives

Content-Security-Policy: default-src 'self'; script-src plausible.io; connect-src plausible.io

Thanks for your work on this, giving this service a try now with the hope of replacing GA.

[metmarkosaric]

Thanks Lou! The reason we don't mention it much is because it doesn't seem to be a big problem for vast majority so didn't want to "clutter" the instructions with edge cases. Only heard from 2 people about CSP out of thousands who've used Plausible. Either most people don't use CSP or those that do are aware that they need to edit their policies for new services they add.

[divinerites]

FYI in my plausible-hugo module, there is a dedicated partial for taking care of plausible in your CSP

[metmarkosaric]

thanks! i've added a note about CSP with a link to this thread on our troubleshoot your integration docs page

[jeremiahlee]

Adding to the above recommendation to include https://:

Content-Security-Policy: default-src 'self'; script-src https://plausible.io; connect-src https://plausible.io