Analytics

Content Security Policy and ad blockers both restrict what a page can load, but they do it for completely different reasons. CSP is a server-declared allowlist. Ad blockers and browser tracking prevention are client-side privacy controls. They overlap just enough to confuse developers, especially once analytics, consent tools, and tag managers enter the picture. The short version: CSP does not replace ad blockers, and ad blockers do not replace CSP. They can stack, conflict, and produce weird failure modes that look like “CSP broke analytics” when the real culprit is a blocker, or “the blocker missed it” because CSP explicitly allowed it. ...

I’ve seen this pattern a lot: a team wants privacy-friendly analytics, swaps out Google Analytics for Plausible, and suddenly their dashboards are empty because CSP is blocking the script or the event beacons. The funny part is Plausible is usually one of the easier analytics tools to fit into a strict policy. The hard part is not Plausible itself. The hard part is cleaning up the old CSP assumptions that were built around GTM, GA, consent tools, and years of exceptions nobody wants to touch. ...

FullStory is one of those tools that security teams side-eye and product teams love. Session replay, event capture, rage clicks, funnels — great for debugging real user behavior, but it also means you’re injecting a third-party script that phones home constantly. That makes Content Security Policy a real concern, not a checkbox. If you add FullStory without thinking through CSP, you usually get one of two outcomes: FullStory silently breaks and nobody notices until analytics goes dark. Someone opens the policy way too far with https: and 'unsafe-inline', and now your CSP is mostly decorative. I’d rather avoid both. ...