Skip to content

azu/csp-report-to-google-analytics

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
src
src
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.html
index.html
 
 
package.json
package.json
 
 
server.js
server.js
 
 
yarn.lock
yarn.lock
 
 

Repository files navigation

csp-report-to-google-analytics

Content-Security-Policy(CSP) report to Google Analytics.

Usage

This library should be used with analytics.js. This library does not work with gtag.js. Please see gtag.js API? · Issue #202 · googleanalytics/autotrack.

You can load this library from unpkg CDN.

<!-- Google Analytics -->
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-XXXXX-Y', 'auto');
ga('send', 'pageview');
// require csp-report-to-google-analytics plugin
ga('require', 'csp-report');
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<!-- End Google Analytics -->
<!-- Load csp-report-to-google-analytics plugin -->
<script async src='https://unpkg.com/csp-report-to-google-analytics/dist/csp-report-to-google-analytics.min.js'></script>

You have already introduced analytics.js, then add these to existing analytic setting.

  • ga('require', 'csp-report');
  • <script async src='https://unpkg.com/csp-report-to-google-analytics/dist/csp-report-to-google-analytics.min.js'></script>

CSP

You need to enable CSP on your site.

The Content-Security-Policy-Report-Only HTTP Header is useful to found mixed contents on your site.

Content-Security-Policy-Report-Only: default-src https:;

Also, <meta> tag can enable Content-Security-Policy, but <meta> tag does not support ``Content-Security-Policy-Report-Only` header.

<!-- Work -->
<meta http-equiv="Content-Security-Policy" content="default-src https:">
<!-- Not Work -->
<meta http-equiv="Content-Security-Policy-Report-Only" content="default-src https:">

For more information about CSP, see Content Security Policy CSP Reference & Examples.

Tips

You should allow to http://www.google-analytics.com/* on HTTP site. Google Analytics use HTTP

Content-Security-Policy-Report-Only: default-src https: http://www.google-analytics.com/* 'unsafe-eval' 'unsafe-inline';

Options

  • debug: boolean
    • Default: false
ga('require', 'csp-report', {
    debug: true
});

Default field values

Field Value
hitType 'pageview'
eventCategory 'CSP Report'
eventAction SecurityPolicyViolationEvent.violatedDirective
eventLabel SecurityPolicyViolationEvent.blockedURI
nonInteraction true

Example

efcl.info introduce this plugin:

Results:

image

image

Changelog

See Releases page.

Contributing

Pull requests and stars are always welcome.

For bugs and feature requests, please create an issue.

  1. Fork it!
  2. Create your feature branch: git checkout -b my-new-feature
  3. Commit your changes: git commit -am 'Add some feature'
  4. Push to the branch: git push origin my-new-feature
  5. Submit a pull request :D

Author

License

MIT © azu

About

CSP report to Google Analytics.

csp-report-to-google-analytics.netlify.com/

Topics

plugin csp google analytics https mixed-content

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

4 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 2

1.0.2 Latest
Mar 17, 2018
+ 1 release

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages