New Google Analytics Content Security Policy Code

Setting up google analytics for WorthHearing, my new music blog, I had an error I hadn't seen before!

Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'interest-cohort'.

A CSP essentially tells our browser where to allow code to run, and where it can pull data from. If you are using a CSP (and you probably should!), you'll need these lines to make Google Analytics work.

script-src:  *.googletagmanager.com
img-src:     *.google-analytics.com *.googletagmanager.com
connect-src: *.google-analytics.com *.analytics.google.com *.googletagmanager.com

If you have any of these keys (like img-src), you'll need to combine the above with your old security policy. In my case, it looked like:

  default-src 'self' https://disqus.com https://c.disquscdn.com;
  script-src 'self' 'unsafe-eval' 'unsafe-inline' https://worthhearing.disqus.com *.googletagmanager.com;
  style-src 'unsafe-inline';
  img-src * blob: data:;
  connect-src *;

Because I allow all images and connections through my CSP currently. This is for a static site, so I'm not too worried.

Thanks to Google for documenting this well!