From acde857e4c2b250210a7dc7fe26ce6c382616c76 Mon Sep 17 00:00:00 2001
From: Kohei Yoshino <kohei.yoshino@gmail.com>
Date: Fri, 27 Jul 2018 10:03:40 -0400
Subject: Bug 1419636 - Make Google Analytics use beacon/XHR instead of img tag

---
 Bugzilla/CGI.pm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 03805ad1e..dbcb3ef68 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -39,11 +39,13 @@ sub DEFAULT_CSP {
         script_src  => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ],
         frame_src   => [ 'none', ],
         worker_src  => [ 'none', ],
-        img_src     => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ],
+        img_src     => [ 'self', 'https://secure.gravatar.com' ],
         style_src   => [ 'self', 'unsafe-inline' ],
         object_src  => [ 'none' ],
         connect_src => [
             'self',
+            # This is for extensions/GoogleAnalytics using beacon or XHR
+            'https://www.google-analytics.com',
             # This is from extensions/OrangeFactor/web/js/orange_factor.js
             'https://treeherder.mozilla.org/api/failurecount/',
         ],
@@ -70,9 +72,11 @@ sub SHOW_BUG_MODAL_CSP {
     my ($bug_id) = @_;
     my %policy = (
         script_src  => ['self', 'nonce', 'unsafe-inline', 'unsafe-eval', 'https://www.google-analytics.com' ],
-        img_src     => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ],
+        img_src     => [ 'self', 'https://secure.gravatar.com' ],
         connect_src => [
             'self',
+            # This is for extensions/GoogleAnalytics using beacon or XHR
+            'https://www.google-analytics.com',
             # This is from extensions/OrangeFactor/web/js/orange_factor.js
             'https://treeherder.mozilla.org/api/failurecount/',
         ],
-- 
cgit v1.2.3-24-g4f1b