Update CSP to allow Google Analytics.

files/templates/authforms.html

@@ -5,7 +5,7 @@
 	{% include "analytics.html" %}
 	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+		{% include "csp.html" %}
 
 		<meta charset="utf-8">
 		<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

files/templates/chat.html

@@ -4,7 +4,7 @@
 	{% include "analytics.html" %}
 	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+	{% include "csp.html" %}
 
 	<meta charset="utf-8">
 	<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

files/templates/csp.html

@@ -0,0 +1 @@
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self' *.google-analytics.com *.analytics.google.com; object-src 'none'; img-src 'self' *.google-analytics.com *.analytics.google.com">

files/templates/default.html

@@ -5,7 +5,7 @@
 	
 	<link rel="alternate" type="application/rss+xml" title="The Motte RSS" href="/rss">
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.cloudflare.com; connect-src 'self' tls-use1.fpapi.io api.fpjs.io {% if PUSHER_ID != 'blahblahblah' %}{{PUSHER_ID}}.pushnotifications.pusher.com{% endif %}; object-src 'none';">
+	{% include "csp.html" %}
 
 	<script src="{{ 'js/bootstrap.js' | asset }}"></script>
 	<script src="{{ 'js/micromodal.js' | asset }}"></script>

files/templates/login.html

@@ -6,7 +6,7 @@
 	{% include "analytics.html" %}
 	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+	{% include "csp.html" %}
 
 	<script src="{{ 'js/bootstrap.js' | asset }}"></script>
 

files/templates/login_2fa.html

@@ -6,7 +6,7 @@
 	{% include "analytics.html" %}
 	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+	{% include "csp.html" %}
 
 		<meta charset="utf-8">
 		<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

files/templates/settings.html

@@ -5,7 +5,7 @@
 	{% include "analytics.html" %}
 
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+	{% include "csp.html" %}
 
 	<script src="{{ 'js/bootstrap.js' | asset }}"></script>
 

files/templates/sign_up.html

@@ -5,7 +5,7 @@
 	{% include "analytics.html" %}
 	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+	{% include "csp.html" %}
 
 		<script src="{{ 'js/bootstrap.js' | asset }}"></script>
 

files/templates/sign_up_failed_ref.html

@@ -3,8 +3,10 @@
 <html lang="en">
 
 <head>
+	{% include "analytics.html" %}
+	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+	{% include "csp.html" %}
 
 		<script src="{{ 'js/bootstrap.js' | asset }}"></script>
 

files/templates/submit.html

@@ -4,7 +4,7 @@
 	{% include "analytics.html" %}
 	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+	{% include "csp.html" %}
 
 		<script src="{{ 'js/bootstrap.js' | asset }}"></script>