[ptoomey3]

Thank for the kind words. As Neil noted below, we would like to lock things down even further by proxing all data that is sent to Google Analytics. And, as a bonus, it would remove the last destination host for content exfil attacks that we know of. Our strict CSP policy has been a nice win, but the strictness has made it that much more clear that allowing nearly any third party sites, even for innocuous things such as images/xhr, isn't ideal. And, we are always on the lookout for more bypasses: https://bounty.github.com/targets/csp.html.

[sitepodmatt]

Oh nice, tell me more about proxying to GA, do you just change some hostname config in the ga universal js snippet to point to your forwarding proxy? how does GA know end user IP as it will be your proxy forwarders normally?

[ptoomey3]

You basically report the data to your own servers and then relay whatever subset you like to google using their “measurement protocol”: https://developers.google.com/analytics/devguides/collection...

[sitepodmatt]

Interesting, what do you use on the client-side to pick up browser information (resolution etc..)?