Closed Bug 1419636 Opened 4 years ago Closed 3 years ago
Make Google Analytics use beacon/XHR instead of img tag
For reasons related to protecting against XSS, using an XHR is recommended over an image tag (because img-src should never list remote sites we do not control)
Priority: -- → P1
Looks like GA comes with an option to use `navigator.sendBeacon` or XHR by default. Given that BMO no longer supports IE, we don’t have to think about image fallbacks, allowing to remove the `img-src` directive. We still need `connect-src` for beacon or XHR though. https://developers.google.com/analytics/devguides/collection/analyticsjs/field-reference#transport https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Assignee: nobody → kohei.yoshino
Status: NEW → ASSIGNED
Summary: Make Google Analytics use XHR instead of img tag → Make Google Analytics use beacon/XHR instead of img tag
PR merged to master.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.