18F · pkarman · Nov 28, 2016 · Nov 22, 2016 · zachmargolis · Nov 22, 2016
diff --git a/app/views/layouts/application.html.slim b/app/views/layouts/application.html.slim
@@ -59,6 +59,4 @@ html lang="#{I18n.locale}"
     == javascript_include_tag 'misc/i18n-mode'
 
   - if Figaro.env.participate_in_dap == 'true'
-    = t('notices.dap_html')
-    - dap_source = 'https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=GSA'
-    <script async type='text/javascript' src='#{dap_source}' id='_fed_an_ua_tag'></script>
+    = render 'shared/dap_analytics'
diff --git a/app/views/shared/_dap_analytics.html.erb b/app/views/shared/_dap_analytics.html.erb
@@ -0,0 +1,4 @@
+<%= t('notices.dap_html') %>
+<% dap_source = 'https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=GSA' %>
+<%= nonced_javascript_tag({src: dap_source, async: true, id: '_fed_an_ua_tag'}) do %>
+<% end %>
diff --git a/app/views/shared/google_analytics/_page_tracking.html.erb b/app/views/shared/google_analytics/_page_tracking.html.erb
@@ -0,0 +1,16 @@
+<% nonce = content_security_policy_script_nonce %>
+
+<%= nonced_javascript_tag do %>
+  var nonce = "<%= nonce %>";
+  var analyticsKey = "<%= Figaro.env.google_analytics_key %>";
+
+  (function(i,s,o,g,r,a,m,n){n=a;i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+  m=s.getElementsByTagName(o)[0];a.setAttribute('nonce',n);a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+})(window,document,'script','//www.google-analytics.com/analytics.js','ga', nonce);
+
+  ga('create', analyticsKey, 'auto');
+  ga('set', 'anonymizeIp', true);
+  ga('set', 'forceSSL', true);
+  ga('send', 'pageview');
+<% end %>
diff --git a/app/views/shared/google_analytics/_page_tracking.html.slim b/app/views/shared/google_analytics/_page_tracking.html.slim
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
@@ -14,10 +14,16 @@
     block_all_mixed_content: true, # CSP 2.0 only;
     connect_src: ["'self'"],
     font_src: ["'self'", 'data:'],
-    img_src: ["'self'", 'data:'],
+    img_src: ["'self'", 'data:', '*.google-analytics.com'],
     media_src: ["'self'"],
     object_src: ["'none'"],
-    script_src: ["'self'", '*.newrelic.com', '*.nr-data.net'],
+    script_src: [
+      "'self'",
+      '*.newrelic.com',
+      '*.nr-data.net',
+      'dap.digitalgov.gov',
+      '*.google-analytics.com'
+    ],
     style_src: ["'self'"],
     base_uri: ["'self'"]
   }