From ee2bb38e155c49f2774965ba4ec91bd46935491a Mon Sep 17 00:00:00 2001
From: CuriousX <nicolle.leclair@gmail.com>
Date: Tue, 21 Nov 2023 13:12:02 -0700
Subject: [PATCH] Update src/registrar/config/settings.py

Co-authored-by: Neil MartinsenBurrell <neil.martinsen-burrell@gsa.gov>
---
 src/registrar/config/settings.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py
index 60cc90692..9db15e93f 100644
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@@ -304,6 +304,10 @@ CSP_DEFAULT_SRC = allowed_sources
 # explicitly set
 CSP_FRAME_ANCESTORS = allowed_sources
 CSP_FORM_ACTION = allowed_sources
+
+# Google analytics requires that we relax our otherwise
+# strict CSP by allowing scripts to run from their domain
+# and inline with a nonce, as well as allowing connections back to their domain
 CSP_SCRIPT_SRC_ELEM = ["'self'", "https://www.googletagmanager.com/"]
 CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/"]
 CSP_INCLUDE_NONCE_IN = ["script-src-elem"]