Google Ads, Pixel, Trackers or Beacons

CSP for Google Ads, Pixel, Trackers or Beacons

ads
Add Package to Your CSP

Using Google Ads, Pixel, Trackers or Beacons with Content Security Policy

Add Google Ad services to your CSP.

Allow these directives in your CSP, to support Google Ads, Pixel, Trackers or Beacons in your Content Security Policy:

script-src
  'unsafe-eval'
  https://*.doubleclick.net
  https://*.googleadservices.com
  https://*.google.com
  https://*.googlesyndication.com
  https://*.googletagservices.com;
style-src
  'unsafe-inline'
  *.google.com;
object-src
  *.googlesyndication.com;
frame-src
  *.google.com
  *.doubleclick.net
  *.googlesyndication.com;
child-src
  blob:
  *.google.com
  *.doubleclick.net
  *.googlesyndication.com;
img-src
  data:
  *.google.com
  *.doubleclick.net
  *.googlesyndication.com
  www.googleadservices.com;
font-src
  data:;
connect-src
  *.doubleclick.net
  *.google.com
  *.googlesyndication.com
  www.googletagservices.com
  about:;
form-action
  *.google.com;
media-src
  dai.google.com;
prefetch-src
  *.googlesyndication.com;
worker-src
  blob:
  www.google.com;

The main domains used by Google Ads, Pixel, Trackers or Beacons are:

doubleclick.net
googlesyndication.com
googleadservices.com
googletagservices.com

Example Content-Security-Policy violations / reports:

Using the above CSP package, will fix these errors that you may be seeing in your console logs:

script-src/script-src-elem/script-src-attrviolations

Refused to load the script 'https://www.googleadservices.com/pagead/conversion_async.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

script-src/script-src-elem/script-src-attrviolations

Refused to load the script 'https://www.googleadservices.com/pagead/conversion_async.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

script-src/script-src-elem/script-src-attrviolations

Refused to load the script 'https://www.googleadservices.com/pagead/conversion_async.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

style-src/style-src-elem/style-src-attrviolations

Refused to load the stylesheet 'doubleclick.net' because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.

font-srcviolations

Refused to load the font 'doubleclick.net' because it violates the following Content Security Policy directive: "font-src 'self'"

img-srcviolations

Refused to load the image 'doubleclick.net' because it violates the following Content Security Policy directive: "img-src 'self'".

frame-srcviolations

[Report Only] Refused to frame 'doubleclick.net' because it violates the following Content Security Policy directive: "frame-src 'self'".

form-actionviolations

[Report Only] Refused to send form data to 'doubleclick.net' because it violates the following Content Security Policy directive: "form-action 'self'".

connect-srcviolations

[Report Only] Refused to connect to 'doubleclick.net' because it violates the following Content Security Policy directive: "connect-src 'self'"