Google Local Beacons (other countries)

CSP for Google Local Beacons (other countries)

ads

Using Google Local Beacons (other countries) with Content Security Policy

Google make it very hard to configure a CSP with connect-src, since their conversion pixels fire "per-country". This package is for the less common countries (global sites). Note that there are other packages for other countries, and for conversions pixels (instead of beacons)

Allow these directives in your CSP, to support Google Local Beacons (other countries) in your Content Security Policy:

img-src
  *.google.com.gt
  *.google.im
  *.google.je
  *.google.com.lb
  *.google.gg
  *.google.com.qa
  *.google.com.mt
  *.google.tn
  *.google.com.om
  *.google.com.bh
  *.google.com.bo
  *.google.ba
  *.google.co.zw
  *.google.co.ao
  *.google.is
  *.google.tt
  *.google.az
  *.google.com.ni
  *.google.co.zm
  *.google.me
  *.google.cm
  *.google.com.ly
  *.google.bs
  *.google.com.kh
  *.google.mn
  *.google.cv
  *.google.mg
  *.google.com.mm
  *.google.co.tz
  *.google.ps
  *.google.com.bn
  *.google.com.na
  *.google.co.bw
  *.google.mw
  *.google.tg
  *.google.com.gi
  *.google.mv
  *.google.rw
  *.google.sn
  *.google.gy
  *.google.ci
  *.google.co.uz
  *.google.gm
  *.google.bj
  *.google.com.sl
  *.google.la
  *.google.com.af
  *.google.com.fj
  *.google.kg
  *.google.co.vi
  *.google.to
  *.google.co.ls
  *.google.bf
  *.google.com.ag
  *.google.cg
  *.google.cd
  *.google.sc
  *.google.sr
  *.google.com.bz
  *.google.ne
  *.google.ht
  *.google.so
  *.google.vg
  *.google.ga
  *.google.ad
  *.google.dm
  *.google.dj
  *.google.com.pg
  *.google.com.vc
  *.google.ml
  *.google.tm
  *.google.as
  *.google.bi
  *.google.co.ck
  *.google.sm
  *.google.com.cu
  *.google.bt
  *.google.td
  *.google.ms
  *.google.ki
  *.google.li
  *.google.st
  *.google.ws
  *.google.com.ai
  *.google.tl
  *.google.com.tj
  *.google.fm
  *.google.gl;

The main domains used by Google Local Beacons (other countries) are:

google.com.gt
google.im
google.je
google.com.lb
google.gg
google.com.qa
google.com.mt
google.tn
google.com.om
google.com.bh
google.com.bo
google.ba
google.is
google.co.zw
google.co.ao
google.tt
google.az
google.co.zm
google.com.ni
google.me
google.com.ly
google.bs
google.cm
google.com.kh
google.cv
google.mn
google.mg
google.com.mm
google.co.tz
google.com.na
google.ps
google.com.bn
google.co.bw
google.mw
google.tg
google.sn
google.com.gi
google.co.uz
google.mv
google.ci
google.gy
google.rw
google.gm
google.com.sl
google.bj
google.com.af
google.to
google.la
google.com.fj
google.kg
google.co.vi
google.co.ls
google.bf
google.com.ag
google.cg
google.cd
google.sr
google.sc
google.com.bz
google.ne
google.ht
google.so
google.vg
google.ga
google.ad
google.dm
google.com.pg
google.dj
google.com.vc
google.ml
google.tm
google.as
google.bi
google.co.ck
google.sm
google.com.cu
google.td
google.bt
google.ki
google.ms
google.li
google.st
google.ws
google.com.ai
google.tl
google.com.tj
google.fm
google.gl

Sources:

Google Adwords CSP (content security policy) img-src(Stackoverflow)RapidSec CSP Generator(RapidSec Data Network)

Example Content-Security-Policy violations / reports:

Using the above CSP package, will fix these errors that you may be seeing in your console logs:

script-src/script-src-elem/script-src-attrviolations

If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.

If you see inline eval() errors, RapidSec will generate your CSP with the specific content of the errors:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'report-sample'".

style-src/style-src-elem/style-src-attrviolations

If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.

img-srcviolations

Refused to load the image 'google.com.gt' because it violates the following Content Security Policy directive: "img-src 'self'".

frame-srcviolations

[Report Only] Refused to frame 'google.com.gt' because it violates the following Content Security Policy directive: "frame-src 'self'".

form-actionviolations

[Report Only] Refused to send form data to 'google.com.gt' because it violates the following Content Security Policy directive: "form-action 'self'".

connect-srcviolations

[Report Only] Refused to connect to 'google.com.gt' because it violates the following Content Security Policy directive: "connect-src 'self'"