cambio en vufind para google analytics.
We need to change one php file module/VuFind/src/VuFind/View/Helper/Root/GoogleAnalytics.php
on function "getRawJavascript"
//new code that insert the nonce attribute on "script" tag created by s.createElement()
if ($this->universal) {
return '(function(i,s,o,g,r,a,m){'
. "i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){"
. '(i[r].q=i[r].q||[]).push(arguments)},'
. 'i[r].l=1*new Date();a=s.createElement(o),'
. 'm=s.getElementsByTagName(o)[0];a.async=1;a.src=g;
//new code !!!!
var nonce=m.getAttribute("nonce");a.setAttribute("nonce",nonce); '
. 'm.parentNode.insertBefore(a,m);'
. "})(window,document,'script',"
. "'//www.google-analytics.com/analytics.js','ga');"
. "ga('create', '{$this->key}', 'auto');"
. "ga('send', 'pageview');";
}
On config file config.ini
[GoogleAnalytics]
apiKey="UA-xxxx-X"
universal=true
on contentsecuritypolicy.ini
; Settings for Content Security Policy header; you can learn more here:
; https://vufind.org/wiki/administration:security:content_security_policy
[CSP]
; This setting can be used to control the operating mode for each APPLICATION_ENV
; value (written as an array key below). Please note that the Whoops error handler
; (enabled in development mode) does not show correctly when enabled[development] is
; set to true.
;
; Following options are supported:
; false - Disabled
; "report_only" - Enabled in report-only mode (default). See report-to setting below.
; true - Enabled in enforcing mode
enabled[production] = true
;"report_only"
enabled[development] = true
;"report_only"
; The nonce (number used once) - unique number for each request. It is strongly
; recommended to keep this setting on. The generated nonce directive is automatically
; added to script-src directives if any are set in [Directives] below.
use_nonce = true
; Directives; you can find a list of available directives on this page:
; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
; For evaluation of CSP you can use this tool provided by Google:
; https://csp-evaluator.withgoogle.com/
; See also the VuFind wiki for additional recommendations and tools:
; https://vufind.org/wiki/administration:security:content_security_policy
[Directives]
default-src[] = "'none'"
script-src[] = "'strict-dynamic'"
; 'unsafe-inline' is set for compatibility with older or buggy browsers. Newer ones
; will ignore it.
script-src[] = "'unsafe-inline' 'report-sample'"
script-src[] = "http:"
script-src[] = "https:"
script-src[] = "https://www.google-analytics.com https://ssl.google-analytics.com"
connect-src[] = "'self'"
connect-src[]= "https://www.google-analytics.com"
style-src[] = "'self'"
style-src[] = "'unsafe-inline'"
img-src[] = "'self'"
img-src[] = "https://www.google-analytics.com https://ssl.google-analytics.com"
; If you are using MapSelection recommendation module, uncomment a line below
; for the basemap you are using:
;img-src[] = "https://maps.wikimedia.org"
;img-src[] = "http://tile.stamen.com"
;img-src[] = "http://basemaps.cartocdn.com"
; If you are using ObalkyKnih as cover service you will need to uncomment the two
; lines below. Note these are default URLs; their change is unlikely but possible,
; so you should ensure they are still valid.
;img-src[] = https://cache.obalkyknih.cz
;img-src[] = https://cache2.obalkyknih.cz
font-src[] = "'self'"
base-uri[] = "'self'"
; Set URI that the browser should use to report CSP violation; you should provide
; this URL when you enable report_only mode to capture the violations.
;report-to[] = 'https://example.report-uri.com'