From f6d47fcc9a5d9c02a8b8059f34e64adcc000db76 Mon Sep 17 00:00:00 2001
From: Alexander Marks <aomarks@google.com>
Date: Thu, 7 Oct 2021 09:14:28 -0700
Subject: [PATCH 1/2] Enable enforced CSP

---
 .../src/middleware/content-security-policy-middleware.ts      | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts
index 6d47cdbac..4f86262fc 100644
--- a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts
+++ b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts
@@ -201,9 +201,7 @@ export const contentSecurityPolicyMiddleware = (
     } else {
       policy = strictFallbackCsp;
     }
-    // TODO(aomarks) Remove -Report-Only suffix when we are confident the
-    // policy is working.
-    ctx.set('Content-Security-Policy-Report-Only', policy);
+    ctx.set('Content-Security-Policy', policy);
     return next();
   };
 };

From 409ae8ed1569aa2e1d76adcffe4f88034f226e57 Mon Sep 17 00:00:00 2001
From: Alexander Marks <aomarks@google.com>
Date: Thu, 7 Oct 2021 09:54:15 -0700
Subject: [PATCH 2/2] Add google analytics to img-src

---
 .../src/middleware/content-security-policy-middleware.ts    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts
index 4f86262fc..7fc547d78 100644
--- a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts
+++ b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts
@@ -121,8 +121,12 @@ export const contentSecurityPolicyMiddleware = (
 
     // TODO(aomarks) We use some data: URLs for SVGs in docs.css. There's
     // probably a simpler way.
+    //
     // The ytimg.com domain is needed for embedded YouTube videos.
-    `img-src 'self' data: https://i.ytimg.com/`,
+    //
+    // The googletagmanager.com domain is needed for Google Analytics
+    // (https://developers.google.com/tag-manager/web/csp).
+    `img-src 'self' data: https://i.ytimg.com/ https://www.googletagmanager.com/`,
 
     // Disallow any embeds, applets, etc. This would usually be covered by
     // `default-src: 'none'`, but we can't set that for the reason explained