CSP and web analytics

Hi PubWebSec!

To get ready for Content Security Policy in production organizations have to
get JavaScript guidelines in place stating no inline JavaScript, only
JavaScript in files. That's fine for in-house developers but I'm starting to
get worried about web analytics tools such as Omniture SiteCatalyst and
Google Analytics. These are very popular out there and the decision to use
them are typically made by managers closer to money than the security
department typically is.

I've been using both SiteCatalyst and Analytics before, both using inline
JavaScript. Looking at their online documentation and tutorials I only see
inline solutions.

Example from SiteCatalyst tutorial (
https://developer.omniture.com/en_US/get-started/sitecatalyst-tagging):
*[bla, bla] return to the Page Code tab and copy all of the code in the tab.
In the HTML files, locate the comment that says Begin Paste the SiteCatalyst
JavaScript Page code here and then paste the Page Code below the comment.*

Example from Analytics tutorial (
http://www.google.com/support/googleanalytics/bin/answer.py?answer=174090):
*In the Profile Settings page, click the "Check Status" link. You'll see
something similar to the code snippet below. (...) Once you find the code
snippet, copy and paste it into your web page, just before the closing
</head> tag.*

All of this will be a show stopper for CSP. I think we have to start working
with the web analytics vendors to 1) find working file-only solutions, and
2) write good tutorials on how to get file-only web analytics working. We
might be successful since developers in general consider this "paste the
JavaScript into your page" practice quite ugly.

Thoughts?

   Regards, John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com