Content Security Policy Error in Chrome with Google Analytics and uBlock Origin

Why am I seeing Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZl…SkoKTs=' because it violates the following Content Security Policy directive:... and what's the proper Content Security Policy for use with Google Analytics?

You're seeing that error because you have an ad-blocking extension installed (Ghostery or uBlock Origin) and the extension replaces the google analytics script with an inline base64 script - which is not allowed by your Content Security Policy.

This would work for typical install when the user does NOT have an ad-blocker installed:
Header always set Content-Security-Policy "default-src https://www.google-analytics.com"

But you get an error when you have an ad-blocker installed. To resolve the console error you need to add an additional scheme to the CSP.
Header always set Content-Security-Policy "default-src 'self' data: https://www.google-analytics.com"
Note that the data: is a scheme modifier of 'self' in this case.

Also note that the Header always set code refernces are for Apache2 so you'll need to modify the code for whatever server you're using.

Cheers and happy hacking,
@davidnanch



Please submit feedback or corrections to: nanch at nanch.com