Manifest V3: google analytics and google tag manager in CSP. Local version?
2,524 views
Skip to first unread message
Omar Khazamov
Jan 6, 2022, 1:39:19 PM1/6/22
to Chromium Extensions
Hi,
I'm currently migrating my Chrome extension from the manifest V2 to V3. It seems like the new manifest V3 does not allow any external resources in the content security policy. My content security policy currently looks like this:
"content_security_policy":
{
"extension_pages": "script-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; object-src 'self'",
"sandbox_pages": "script-src self"
}
{
"extension_pages": "script-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; object-src 'self'",
"sandbox_pages": "script-src self"
}
This results in insecure CSP value "https://www.google-analytics.com" in directive 'script-src' message when attempting to load the Chrome extension.
I don't think running google analytics script or google tag manager script locally is a recommended thing. I'm not sure why the migration guide didn't cover this.
Has anyone encountered a similar issue?
Thanks
Omar
Omar Khazamov
Jan 6, 2022, 1:53:17 PM1/6/22
to Chromium Extensions, Omar Khazamov
so, the only way to solve this seems to to host the script locally, which means (copy pasted from here):
0. I miss version updates
- The script versions returned may depend on your browser. Even on your browser version. Or whatever else. This is a very efficient trick to minimize code served for a particular environment - i.e. you don’t need to return any polyfills for modern browsers. Or serve lighter mobile-optimized tags for slow mobile devices. Given the volume of traffic Google needs to serve it’s likely such technics might be used. To fully eliminate this you’ll need to test everything in all the browsers your webapp is going to support.
- Your script may stop working any time without prior notice. Or stop working in some environments. From my experience when a new version is rolled out backward compatibility is provided for a while. After the script owners ensure the amount of traffic using outdated versions is negligible it’s dropped. Yes it may take a long time, but still - you’re likely be there sooner or later, unlikely will anybody in your team track Google's announcements & releases on such things.
- These scripts are to be loaded in async mode => no page rendering blocking
- These scripts are likely to be already in your browser’s cache as they’re almost on any site on the Internet
- Google's CDN has dozens of edge servers and even if the script isn’t in your cache it’s likely to be loaded very quickly
Omar Khazamov
Jan 8, 2022, 8:30:49 PM1/8/22
to Chromium Extensions, Omar Khazamov
up
Message has been deleted
Andreas J. Virkus
Jan 12, 2022, 4:10:46 AM1/12/22
to Chromium Extensions, omar.k...@gmail.com
Here's a related discussion on the topic, I guess the only way forward is to bundle it with your code for MV3 😕
Omar Khazamov
Jan 19, 2022, 8:19:29 AM1/19/22
to Chromium Extensions, andrea...@gmail.com, Omar Khazamov
thanks,so basically host google analytics script locally
Omar Khazamov
Nov 15, 2022, 10:42:22 AM11/15/22
to Chromium Extensions, andrea...@gmail.com
Hello world :)
Do we have support from Google Analytics for Chrome Extensions? IF I remember correctly Manifest V3 removes such possibility. Hoping to use google analytics in order to track the usage of the extension. Thank you!
Thanks,
Omar Khazamov
Omar Khazamov
Stefan Van Damme
Nov 15, 2022, 12:51:27 PM11/15/22
to Chromium Extensions, omar.k...@gmail.com, andrea...@gmail.com
Hi Omar,
Another way is to use POST calls to send your data to Google Analytics.
See this helpful tutorial on https://stackoverflow.com/a/73825802/1731468
Thanks,
Reply all
Reply to author
Forward
0 new messages