Skip to content

Commit a8ffd2c

Browse files
author
Michael Levin
committed
Add guidance for Content-Security-Policy
1 parent ea07e44 commit a8ffd2c

1 file changed

Lines changed: 12 additions & 2 deletions

File tree

README.md

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
Provides a JavaScript file for US federal agencies to link or embed in their websites to participate in the Digital Analytics Program.
44
The latest code collects both DAP Universal Analytics and GA4 data as part of the same tag.
55

6-
The latest version of DAP GA code contains dual tracking code for both Universal Analytics (UA) and GA4:
6+
The latest version of DAP GA code contains dual tracking code for both Universal Analytics (UA) and GA4:
77

88
* [`Universal-Federated-Analytics.js`](Universal-Federated-Analytics.js) (full)
99
* [`Universal-Federated-Analytics-Min.js`](Universal-Federated-Analytics-Min.js) (minified)
@@ -49,7 +49,7 @@ supported scenarios include:
4949
Analytics code fails: when an agency Universal Analytics tracking code (not DAP)
5050
uses a custom/non-default tracking object and it is added right after the Federated
5151
code. In this specific scenario, the Federated code will fail in reporting the first page
52-
hit and will be able to track normally all the consecutive hits.
52+
hit and will be able to track normally all the consecutive hits.
5353

5454
*Limitation:* The Federated DAP code doesn’t fully support older versions of
5555
Microsoft Internet Explorer. While the Federated DAP code works with all known
@@ -70,6 +70,16 @@ Browsers that support HSTS and which have observed this HSTS policy (either from
7070

7171
Together, HTTPS and HSTS offer a strong, necessary level of transport security and integrity.
7272

73+
#### Content Security Policy
74+
75+
A Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks to your website, including Cross-Site Scripting (XSS) and data injection attacks. In order to incorporate the DAP JS into your site which includes a Content Security Policy, add the DAP domain and necessary Google domains to your allowed script sources. Also add the Google Analytics domain to your allowed connect sources. Example follows:
76+
77+
```
78+
Content-Security-Policy: script-src https://dap.digitalgov.gov https://www.google-analytics.com https://www.googletagmanager.com; connect-src https://www.google-analytics.com;
79+
```
80+
81+
This whitelists the DAP domain and necessary Google domains as trusted sources for JavaScript downloads to your site. In order to make your CSP as restrictive and secure as possible, use `script-src` rather than `default-src` to only permit JavaScript to be included from these domains and no other file types. The `connect-src` directive allows the DAP JavaScript code to connect to the Google Analytics domain in order to send analytics data from your site to Google Analytics.
82+
7383
#### Data integrity
7484

7585
The `dap.digitalgov.gov` domain is currently served by a third party content delivery network (CDN) that serves the current JavaScript referenced in the `master` branch of this GitHub repository.

0 commit comments

Comments
 (0)