Re: CSP and web analytics

Yeah, one of the challenges for CSP is that it imposes constraints on
how you integrate with third-parties.  Web analytics is probably one
of the easier examples of this issue.  Advertising is probably more
challenging.  My sense is that CSP succeeding on this dimension is
going to take a while.  Enough developers need to be interested in
using the feature that providers of these third-party services have an
incentive to play nicely with CSP.


On Wed, Jun 8, 2011 at 4:19 AM, John Wilander <> wrote:
> Hi PubWebSec!
> To get ready for Content Security Policy in production organizations have to
> get JavaScript guidelines in place stating no inline JavaScript, only
> JavaScript in files. That's fine for in-house developers but I'm starting to
> get worried about web analytics tools such as Omniture SiteCatalyst and
> Google Analytics. These are very popular out there and the decision to use
> them are typically made by managers closer to money than the security
> department typically is.
> I've been using both SiteCatalyst and Analytics before, both using inline
> JavaScript. Looking at their online documentation and tutorials I only see
> inline solutions.
> Example from SiteCatalyst tutorial
> (
> [bla, bla] return to the Page Code tab and copy all of the code in the tab.
> In the HTML files, locate the comment that says Begin Paste the SiteCatalyst
> JavaScript Page code here and then paste the Page Code below the comment.
> Example from Analytics tutorial
> (
> In the Profile Settings page, click the "Check Status" link. You'll see
> something similar to the code snippet below. (...) Once you find the code
> snippet, copy and paste it into your web page, just before the closing
> </head> tag.
> All of this will be a show stopper for CSP. I think we have to start working
> with the web analytics vendors to 1) find working file-only solutions, and
> 2) write good tutorials on how to get file-only web analytics working.. We
> might be successful since developers in general consider this "paste the
> JavaScript into your page" practice quite ugly.
> Thoughts?
>    Regards, John
> --
> John Wilander,
> Chapter co-leader OWASP Sweden,
> Conf Comm,
> My music

Received on Wednesday, 8 June 2011 17:26:13 UTC