Clean up CSP a little more to work properly with Analytics.

files/routes/allroutes.py

@@ -53,9 +53,9 @@ def teardown_request(error):
 def after_request(response: Response):
 	response.headers.add("Content-Security-Policy", (
 		"script-src 'self' 'unsafe-inline';"
-		" connect-src 'self' *.google-analytics.com *.analytics.google.com;"
-		" object-src 'none';"
-		" img-src 'self' *.google-analytics.com *.analytics.google.com"
+		" script-src:  'self' https://*.googletagmanager.com"
+		" img-src:     https://*.google-analytics.com https://*.googletagmanager.com"
+		" connect-src: 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com"
 	))
 	response.headers.add("Strict-Transport-Security", "max-age=31536000")
 	response.headers.add("X-Frame-Options", "deny")

files/templates/email/default.html

@@ -3,7 +3,6 @@
 <html>
   <head>
     <meta name="description" content="{{config('DESCRIPTION')}}">
-    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
     <title></title>

files/templates/settings2.html

@@ -6,7 +6,6 @@
 	{% include "analytics.html" %}
 	
 	<meta name="description" content="{{config('DESCRIPTION')}}">
-	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
 
 	<script src="{{ 'js/bootstrap.js' | asset }}"></script>