How accidentally not to block Google Analytics on your site

Download PDF
Reconciling Content Security Policy with GA and GTM

Reconciling Content Security Policy With Google Analytics and Google Tag Manager

Content Security Policy (CSP) is a web standard providing protection from third-party assets such as cross-site scripting attacks (XSS) that may cause serious security concerns. CSP describes safe sources, establishes rules of use of built-in styles and scripts as well as dynamic assessment of JavaScript. Loading from resources not on the so-called "white list" is blocked.

CSP for Google Analytics

Google Analytics can use 2 - 4 features often restricted by Content Security Policy, so your task is to enable them.


The first thing you should do is configure the script-src directive to allow Google Analytics to run JavaScript.

  • Add to the source list of your script-scr directive.

Note: the https is optional, while the www is mandatory.

  • Add the Google Analytics code snippet to your page.

Note: This is an inline snippet, known as function(i,s,o,g,r,a,m), which is restricted by CSP.

 Here are 3 ways you can run Google Analytics from less secure to more reliable:

  1. Add the string ‘unsafe-inline’ to the script-scr directive source list to allow all inline snippets to run. This is the least secure way as unsafe code also gets a let-pass.
  2. Move the Google Analytics part of the code to an external code file hosted on a whitelisted domain, for example on your website primary domain.
  3. Opt for use of nonce-value on the inline script. This way is most secure, but also complicated, so choose it only if nonce-values are already used for other inline scripts.

Tracking Beacons

Content Security Policy may restrict the ways Google Analytics sends data to servers for Post requests, Image requests and the browser “Beacon” feature. 

  • Whitelist Google Analytics by adding
  • Add and to the source list if AdWords integration or Advertising Features is enabled.


Here is a simple policy enabling Google Analytics to function without the AdWords or Advertising features. It allows only what is strictly necessary and restricts other non-Google resources. 

default-src 'self' 'unsafe-inline' 

This way you can move the Google Analytics code snippet to a separate file as this policy requires. It is hosted on the same domain as the main site.

script-src 'self'; 



Google Tag Manager

Content Security Policy may also restrict some assets loaded on your page by Google Tag Manager.


Tag Manager is a script-injection framework that dynamically loads JavaScript sections onto your page, so you can’t restrict it from executing inline snippets as it works with Google Analytics. To make Tag Manager function, you should:

  • Update your script-src (or default-src) directive with and ‘unsafe-inline in the source list.

Other Assets

If you need to load some third-party tracking pixels, you should work out how to allow the appropriate script or image sources.
Trial and error is the most efficient method here:

  • Add the tracking code in Tag Manager,
  • Make a preview,
  • And then monitor the error message about Content Security Policy.


Content Security Policy is a helpful feature for reinforcing your site security. With some coordination and minimal effort, it can work perfectly in conjunction with Google Analytics, while Google Tag Manager will require more attention on your part to manage which assets should be allowed. Don’t be of afraid of loosing some CSP benefits, as even with Google Tag Manager inline snippets permitted, Content Security Policy still offers considerable security benefits.

Marketing and Business Development Manager
Meet Andrey - Marketing and Business development manager at Magora! With a keen eye for market trends and a knack for relationship-building, Andrey spearheads initiatives that propel Magora to the forefront of innovation and success in the tech industry.
Google Analytics: Tips about Filters and Segments Settings You Probably Had No Clue About App Promotion: Apple and Google Best Practices 9 Common Google Analytics’ Errors: How to Fix Them Google Analytics: Overcoming Big Data Problems with Google Analytics 360 and BigQuery
Generational nuances: crafting the user experience in 2024 VisionOS App Development: The Era of Spatial Computing EdTech 2024: Software trends for Teachers, Students and Headmasters The Heartbeat of AI: Ensuring AI Ethics in Education and Healthcare
Everything You Want to Know About Mobile App Development App Development Calculator Infographics: Magora development process Dictionary
News Technologies Design Business Development HealthTech IoT AI/ML PropTech FinTech EdTech Mobile Apps Discovery Transport&Logistics AR/VR Big Data Sustainability Startup Enterprise Security
Logo Magora LTD
Thank you very much.
Magora team

Grab your e-book: Design to attract more buyers

Logo Magora LTD
Get in touch
Open list
Open list
Logo Magora LTD
Thank you very much.

Your registration to the webinar on the 27th of September at 2 p.m. BST was successfuly completed.
We will send you a reminder on the day before the event.
Magora team
Registration for a webinar

"Let Smart Bots Speed up your Business"
Date: 27.09.2018 Time: 2 p.m. BST
Do you agree to the personal data processing?

Logo Magora LTD
Download our curated selection of resources for accelerating your software development journey.