From 5da8b2ec9e138014eab5128c97f7ca492c434542 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sat, 11 Jan 2020 06:14:10 +0100
Subject: [PATCH] Some CSP tuning.

---
 app/Http/Middleware/SecureHeaders.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
index dca47803e6..01e89f9452 100644
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -53,7 +53,7 @@ class SecureHeaders
         $csp             = [
             "default-src 'none'",
             "object-src 'self'",
-            sprintf("script-src 'unsafe-inline' %s 'nonce-%s'", $googleScriptSrc, $nonce),
+            sprintf("script-src 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $googleScriptSrc),
             "style-src 'self' 'unsafe-inline'",
             "base-uri 'self'",
             "font-src 'self' data:",
@@ -105,7 +105,7 @@ class SecureHeaders
     private function getGoogleImgSource(): string
     {
         if ('' !== config('firefly.analytics_id')) {
-            return 'https://www.google-analytics.com/';
+            return 'https://www.google-analytics.com';
         }
 
         return '';
@@ -119,7 +119,7 @@ class SecureHeaders
     private function getGoogleScriptSource(): string
     {
         if ('' !== config('firefly.analytics_id')) {
-            return 'https://www.googletagmanager.com/gtag/js https://www.google-analytics.com/analytics.js';
+            return 'https://www.googletagmanager.com https://www.google-analytics.com';
         }
 
         return '';