diff --git a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts index 6d47cdbac..7fc547d78 100644 --- a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts +++ b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts @@ -121,8 +121,12 @@ export const contentSecurityPolicyMiddleware = ( // TODO(aomarks) We use some data: URLs for SVGs in docs.css. There's // probably a simpler way. + // // The ytimg.com domain is needed for embedded YouTube videos. - `img-src 'self' data: https://i.ytimg.com/`, + // + // The googletagmanager.com domain is needed for Google Analytics + // (https://developers.google.com/tag-manager/web/csp). + `img-src 'self' data: https://i.ytimg.com/ https://www.googletagmanager.com/`, // Disallow any embeds, applets, etc. This would usually be covered by // `default-src: 'none'`, but we can't set that for the reason explained @@ -201,9 +205,7 @@ export const contentSecurityPolicyMiddleware = ( } else { policy = strictFallbackCsp; } - // TODO(aomarks) Remove -Report-Only suffix when we are confident the - // policy is working. - ctx.set('Content-Security-Policy-Report-Only', policy); + ctx.set('Content-Security-Policy', policy); return next(); }; };