GA4 is being blocked by Content Security Policy

Photo by Elisa Ventur on Unsplash

On 13 June 2022 – Google made an update to Google Analytics 4 which could break your tracking in Europe.

If you’re already got GA4 on your site that could mean you’re losing data (though you should have had an email from Google if so), if you’re trying to add GA4 you could be seeing some strange errors when you try to test it.

I’m going to explain what’s causing the problem, then I’ll tell you how to fix it. Because it’s to do with some security settings on your website. In my experience, if we know why the problem is coming up, we can explain what we need to do better, and reassure colleagues whose job it is to care about security.

What’s causing the problem?

It’s your Content Security Policy.

A Content Security Policy is code on your website that limits where your pages can load content from.

I’ll break that down a bit. Say you’ve got a web page and you want to show an image from another website, you could do that like this;

That image is at https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png

But this page is showing that image.

We can do the same with, for example, JavaScript – that’s super useful when someone has written some nice code that does something complicated for us.

The problem is – that kind of flexibility can cause problems – if pages can load images or JavaScript from anywhere – people can use that to trick your visitors and steal information.

Because of the way the internet works – it would be a massive pain to block that from happening completely – every website would have to have its own version of loads of different bits of code.

So, to limit the risk – a Content Security Policy says “sure, you can load stuff from other sites, but only this list of sites that I’ve said are OK“.

For example, you might say – “Hey, it’s OK to load content from www.google-analytics.com” and that would let you download Analytics tracking scripts that handle a bunch of complicated stuff we don’t want to do by hand.

The thing is – Google changed where the Analytics code comes from

EU data regulations basically say that we can’t save data about EU citizens in databases in, for example, the US.

To avoid accidentally sending EU data to the US – Google changed how GA4 works, so that if you’re in the EU – it doesn’t download tracking scripts from www.google-analytics.com, but instead region1.google-analytics.com.

If your Content Security Policy specifies www.google-analytics.com then your website will block your analytics code for EU visitors and you won’t track them.

As Google says in their product update;

please work with your site administrators […] to resume traffic collection for your site and app visitors based in the EU

GA4 13 June 2022 announcement

How to know if your Content Security Policy is blocking your Analytics in the EU

This problem won’t affect everyone – it depends on what your Content Security Policy is.

Here I’ll give you some checks to confirm this is a problem for you.

The first is to check your email – if you already have GA4 on your site and your Content Security Policy won’t allow for this change, Google should already have sent emails to your account admins, warning you of this change. With all the emails flying around it would be easy to miss, but it should look something like this;

Email warning from Google that your Content Security Policy might block GA4

If you received an email like this, and you know you haven’t fixed it – go to the “What to do” section below. If you’re not sure – read on for some other ways you can check if this is a problem for you.

If you’ve already got GA4 on your site and don’t have an email like that, you may well be fine. If you want to be sure – the next easiest check is seeing if the data is still flowing in GA4, but don’t worry I’ll also take you through how to do specific on-page checks to figure out if this is a problem for you (either to confirm what you’re seeing in GA4, or to help you if you’re adding GA4 to the site for the first time and it doesn’t seem to be working).

Checking country traffic in GA4

If you’ve already been using GA4 for a little while – to double-check there hasn’t been any kind of big drop-off, you can use the Explore section.

Create a new report, choose “Continent” as the dimension, something like “Sessions” as the metric, and select the Line Chart visualisation. You’ll be able to see if Europe has suddenly dropped off.

If your EU traffic dropped off around 13 June 2022 and you’re still getting traffic from elsewhere – it could be the Content Security Policy issue and you should check out the next section to confirm.

How to check if a page CSP is blocking GA4

If you’re in the EU, follow these instructions, otherwise ask a friend (who is in the EU);

  • Go to a page on your site where GA4 should be tracking (if it’s not live on the site you could do this using GTM preview or I’ve included an alternative below)
  • Right-click and click “inspect” to open up the inspect panel
  • Click on “console” and look for an error like the below – the main things to check for are “region1.google-analytics.com” and “violates the following Consent Security Policy directive”

If you don’t have GA4 on the site/can’t test with GTM

  • Go to a page, inspect, and go to console as above, then click into the text area near the bottom, next to the “>”
  • Paste the following code and replace the {{your tracking id}} with your GA4 tracking ID, it will start with a G- Hit enter to make sure you manually activate GA4,
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id={{your tracking id}}"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', '{{your tracking id}}');
</script>
  • Look in the area above where you pasted the code, for that same message – the main things to check for are “region1.google-analytics.com” and “violates the following Consent Security Policy directive”

What to do if Google Analytics is being blocked by your Content Security Policy

As Google says in the product update announcement most people will need to work with dev to change the site wide Content Security Policy.

In line with Google’s guidance – I’m recommending that clients add *.google-analytics.com and *.analytics.google.com to their “connect-src” and “img-src” instructions in their content security policy (note the *. at the start).

That’s because *.google-analytics.com will allow region1.google-analytics.com and also region2.google-analytics.com, region3 etc. etc. etc.

We can be pretty confident that google-analytics.com is safe, and the fact that they’ve added “region1” suggests to me that they might add more in the future. Google was pretty quiet about this update so unless we have some flexibility in our security policy we’re likely to be surprised by lost data in future.

Here’s Google’s exact wording in one of their emails;

Google’s recommendation for how to fix the CSP blocking issue

That’s it!

If your GA4 is currently recording data from EU customers you’re probably safe from this issue, but it could be easy to miss this problem (particularly if you are still mainly using UA, and just have GA4 on your site in preparation for the UA switch off).

If you’re trying to add GA4 to your site and it doesn’t seem to be working – this could be your solution.

Many thanks to Jill Quick for helping me pull together some of Google’s comms on this change!

Scroll to Top