Is it needed that Content Security Policy rule pxDefaultSecured allows the google analytic image?

We’re using a Content Security Policy-rule based on pxDefaultSecured which is the default most secured CSP. By default this allows:

• Loading fonts from https://fonts.gstatic.com (google static) , that seems ok to me;

• Image-Source from http://www.google-analytics.com , https://www.google-analytics.com, https://ssl.google-analytics.com ;

• Script-source from http://www.google-analytics.com and https://ssl.google-analytics.com .

I would not expect that by default the secure CSP allows the google analytics script and image.

Why is this allowed by default?

Hi @MaartenBPM - CSP is designed to prevent certain types of attacks like Cross-Site Scripting (XSS) and data injection attacks. It’s important to restrict sources to only trusted domains, but then again since Google Analytics is one of the most widely used and trusted web analytics service I believe it was added as default. There could be other possible reasons as well but this is just my assumption.

@Saranya1996 It’s indeed widely used but it should not be default allowed in a OOTB secure CSP I would think. But there might good reasons for this, interested in those.

@MaartenBPM The google analytics component is being used in many of the areas internally in the code like ,In Snippet Rule creation and also internal help documents you see in the rules and to make those scripts and image sources that are being used in the default code of Pega whitelisted these are added to the OOTB CSP
Thank you !