My website guitmz.com is hosted via Netlify (DNS too). I’m trying to use Plausible for analytics and I can’t make it work. I added a custom CSP rule to allow connections to it already but even if I remove the CSP headers entirely, the error stays the same. Is there a default CSP rule applied by Netlify that I can’t see?
Error: Refused to connect to https://plausible.io/api/event because it does not appear in the connect-src directive of the Content Security Policy.
Config I tried (tried several, this is one of them): Content-Security-Policy: connect-src 'self' plausible.io
I tried with https://, the full URL of Plausible in CSP, tried with a custom subdomain (visitors.guitmz.com) instead too, it displays the same error always (with the subdomain the error changes to the subdomain of course).
Hi, @guitmz. We don’t set or override any CSP headers nor do we set any by default.
Note, I believe your site is settings headers in two place:
in the file _headers
in the file netlify.toml
You might simplify the troubleshooting by setting these headers in just one place.
Now, about what CSP headers are required for plausible.io to work, that I do not know.
Our support team can help you troubleshoot the creation of custom headers but we need you to tell us what the those headers are. In other words, we can troubleshoot Netlify but troubleshooting the CSP itself isn’t covered by the scope of our technical support here.
Other people here may be able to troubleshoot the CSP itself though so the question is definitely still welcome here. I just wanted to explain what is and is not covered by the support team.
I have removed all my headers (from _headers and Netlify.toml) and my website still displays CSP errors, even with no CSP defined by me on Netlify side
Error with Permissions-Policy header: Unrecognized feature: ‘interest-cohort’.
This says “Error” in the text but if you examine the log level of the message is “warning” not “error”.
Probably because of this:
This is a header to block Google’s replacement for third-party cookie tracking called “Federated Learning of Cohorts” or FLoC.
Note, some people (myself included) think FLoC is evil (and I thought that company’s motto was not to do that - maybe they forgot). Example from the EFF:
In other words, that warning means your site is protected from FLoC. So, why does this warning say it is an error in the text? Maybe because the maker of the browser showing the warning as “Error” is the same company that is making FLoC. Maybe they want to scare you and use fear to trick you into using it (*cough* which totally isn’t evil *cough*).
Last but not least, please note we didn’t make that header. It is in the _headers file deployed with your site and, personally, I would recommend keeping that as it is.