Handle content-security-policy for activated Google Analytics / Tagmanager
When using a content-security-policy you need to recheck and add checksums for every Google Analytics or Tagmanager account that might be used. This is because the UA code is embedded in the inline script. This means that after adding, changing an account you have to visit the site in Chrome, see which checksum it expects and adding it to the list)
This means the following use-cases will give problems:
- Copy of paste, only changing UA-... code and assuming it works
- Using a different analytics account for a specific site and assuming it works
- Making the analytics account configurable
Solutions:
- Most futureproof: when the content-security headers are set through a siteprofile automatically add the checksum for generated inline-script. This should be future-proof AND keep sites working which already use a hash for generated inline analytics script (we just add the new correct hash).
- Alternatively: Set the account code as attribute, read and use it in the inline code. This way the inline-script doesn't change with the analytics code. However this would break sites which already use a hash for that inline-script and would also break if we need to change it for another reason.