I have the Content Security Policy:
default-src 'none';
style-src 'self';
script-src 'self' https://www.google-analytics.com;
img-src 'self' https://www.google-analytics.com;
connect-src 'self';
On my page I have put the inline GA code into an async script:
<script src="/javascript/ga.js" async></script>
This causes a CSP error:
Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZl…07Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJd2luZG93W2dhTmFtZV0gPSBnYTsKfSkoKTs=' because it violates the following Content Security Policy directive: "script-src 'self' https://www.google-analytics.com".
Is there any way to serve this script from a JS file, and if not how would I need to change the CSP?
Please see Michele Spagnuolo's answer and upvote.
This is caused by uBlock Origin and it is because
dataURLs are not whitelisted:There is no point in doing this as this could leave your application vulnerable should untrusted data be used as URLs anywhere within your application, or if the attacker can inject tags that use such URLs. This of course depends on the injection point and which characters are allowed.
Of course you should be whitelisting any user entered URLs (e.g. make sure they start with
http://orhttps://), however as CSP is defence-in-depth measure you probably don't want to weaken it too much.The upshot is that you're weakening your CSP by doing this in order to prevent a CSP report or error from being triggered.