To get Google Analytics (GA) and Google Ads to run with Content Security Policy (CSP), you need to allow specific URIs in your policy directive. These include ‘www.google-analytics.com’, ‘googletagmanager.com’, ‘adservice.google.com’, and ‘googleads.g.doubleclick.net’.
However, handling inline scripts sourced from GA might get a bit challenging. You have two options to handle this. First, use a nonce (number used once) to whitelist the inline script. The nonce must be generated anew for every HTTP response, which can not be a straightforward method and cause latency issues.
Second, use the ‘unsafe-inline’ directive. But note, this is not recommended due to security reasons as it allows all inline scripts making your site vulnerable. If you must use it, make sure only to allow inline scripts and styles from trusted sources.
One innovative method mentioned in that article involved using a service worker to inject Google Analytics. However, this method isn’t simple and should only be employed if you’re proficient in service worker functionality.
Remember that while CSP is a powerful defensive tool for site security, it can make things difficult when you need to integrate third-party services such as GA or Google Ads. Strike a balance between security and functionality to create a high-performing website.