Support » Plugin: Google Analytics Dashboard for WP by ExactMetrics (formerly GADWP) » Making the ExactMetrics plugin CSP (Content Security Policy) compatible

  • Adding Content Security Policy HTTP header or html meta tags to your website will add another layer of security by protecting the website and it’s visitors from Cross-site scripting (XSS) attacks. Another good reference for CSP is this: https://content-security-policy.com/.

    Example of a CSP HTTP header would be

    <?php
    add_action('send_headers', 'set_CSP_header');
    add_action('login_init', 'set_CSP_header');
    add_action('admin_init', 'set_CSP_header');
    
    function set_CSP_header() {
     $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com; connect-src 'self'; img-src 'self'; style-src 'self';";
     header($CSP);
    }
    ?>

    Currently this CSP header does not work with ExactMetrics plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

    To make ExactMetrics CSP compatible, the tracking script would have to be loaded from a separate .js file.

    Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?

    • This topic was modified 5 months, 3 weeks ago by kysymysteke.
  • You must be logged in to reply to this topic.