🤖 backported "Fix CSP issue for Google Analytics" (metabase#18303)

Goldbely · Oct 6, 2021 · c529fe2 · c529fe2
1 parent b7a4d19
commit c529fe2
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/metabase/server/middleware/security.clj b/src/metabase/server/middleware/security.clj
@@ -51,9 +51,10 @@
                                    "'unsafe-eval'" ; TODO - we keep working towards removing this entirely
                                    "https://maps.google.com"
                                    "https://apis.google.com"
-                                   "https://www.google-analytics.com" ; Safari requires the protocol
                                    "https://*.googleapis.com"
                                    "*.gstatic.com"
+                                   (when (public-settings/anon-tracking-enabled)
+                                     "https://www.google-analytics.com")
                                    ;; for webpack hot reloading
                                    (when config/is-dev?
                                      "localhost:8080")
@@ -76,6 +77,10 @@
                   :connect-src  ["'self'"
                                  ;; MailChimp. So people can sign up for the Metabase mailing list in the sign up process
                                  "metabase.us10.list-manage.com"
+                                 ;; Google analytics
+                                 (when (public-settings/anon-tracking-enabled)
+                                   "www.google-analytics.com")
+                                 ;; Webpack dev server
                                  (when config/is-dev?
                                    "localhost:8080 ws://localhost:8080")]
                   :manifest-src ["'self'"]}]