content-security-policy vs. Google Analytics and AdSense

[Nick-Levinson]

Content Security Policy is incompatible with Google Analytics and Google AdSense. Even the default-src wildcard, which is intended to admit everything from everywhere, is insufficient permission. If either Google product is wanted on a website, CSP must be left disabled (e.g., commented out) from .htaccess site-wide applicability. I reported this to Google (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031 (not substantively updated in 3 weeks, thus Google not claiming compatibility)). Even though Google's humans saw Analytics code in my site, Google's machinery did not see it until I recommented-out all of CSP from my site.

I did not test with a non-httpd server (I don't have one), a meta tag (too many website pages), or any competitor's analytics or advertising product (I don't have them installed).

I posted this issue in GitHub under html5-bolerplate and a respondent offered what was meant as a contrary example, but it was only an example of how to write CSP for a website, not an example of a working website with Google Analytics data reports or AdSense ads that contradicted the problem that Google, either accidentally or not, apparently doesn't allow any CSP, even a default-src wildcard. Since this is an .htaccess issue, it probably belongs here rather than there, anyway.

This conflict between CSP and Google Analytics and AdSense should be stated in .htaccess > Security > Content Security Policy (CSP) (regarding both Google products) and in extend.md > Google Universal Analytics (regarding Analytics only) and in a new section I propose, extend.md > Google AdSense.

[alrra]

A response to this was already given in h5bp/html5-boilerplate#1765.

[Nick-Levinson]

A request for any refutational evidence has been posted there.