Published on

New Google Analytics Content Security Policy Code


    John Partee

Setting up google analytics for WorthHearing, my new music blog, I had an error I hadn't seen before!

Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'interest-cohort'.

A CSP essentially tells our browser where to allow code to run, and where it can pull data from. If you are using a CSP (and you probably should!), you'll need these lines to make Google Analytics work.

script-src:  *
img-src:     * *
connect-src: * * *

If you have any of these keys (like img-src), you'll need to combine the above with your old security policy. In my case, it looked like:

  default-src 'self';
  script-src 'self' 'unsafe-eval' 'unsafe-inline' *;
  style-src 'unsafe-inline';
  img-src * blob: data:;
  connect-src *;

Because I allow all images and connections through my CSP currently. This is for a static site, so I'm not too worried.

Thanks to Google for documenting this well!

Want an email when we post?

Free, weekly at most. We hate spam too.