Adding GoogleAnalyticsContentSecurityPolicyProvider, docs

Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md

@@ -14,5 +14,7 @@ These extensions provide additional security and can resolve issues reported by
 
 ## Services
 
+- `GoogleAnalyticsContentSecurityPolicyProvider`: Provides various directives for the `Content-Security-Policy` header, allowing using Google Analytics tracking. Is automatically enabled when the `OrchardCore.Google.Analytics` feature is enabled or the provider is explicitly enabled for the current request via is `static` method.
+- `ReCaptchaContentSecurityPolicyProvider`: Provides various directives for the `Content-Security-Policy` header, allowing using ReCaptcha captchas. Is automatically enabled when the `OrchardCore.ReCaptcha` feature is enabled.
 - `ResourceManagerContentSecurityPolicyProvider`: An abstract base class for implementing content security policy providers that trigger when the specified resource is included.
 - `VueContentSecurityPolicyProvider`: An implementation of `ResourceManagerContentSecurityPolicyProvider` that adds `script-src: unsafe-eval` permission to the page if it uses the `vuejs` resource. This includes any Vue.js app in stock Orchard Core, apps you create in your view files, and SFCs created with the Lombiq.VueJs module. This is necessary, because without `unsafe-eval` Vue.js only supports templates that are pre-compiled into JS code.

Lombiq.HelpfulLibraries.OrchardCore/Security/GoogleAnalyticsContentSecurityPolicyProvider.cs

@@ -0,0 +1,35 @@
+using Lombiq.HelpfulLibraries.AspNetCore.Security;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using OrchardCore.Environment.Shell;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+
+namespace Lombiq.HelpfulLibraries.OrchardCore.Security;
+
+public class GoogleAnalyticsContentSecurityPolicyProvider : IContentSecurityPolicyProvider
+{
+    private const string HttpContextItemKey = nameof(GoogleAnalyticsContentSecurityPolicyProvider);
+
+    public async ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
+    {
+        var googleAnalyticsIsEnabled = context.Items.ContainsKey(HttpContextItemKey);
+
+        if (!googleAnalyticsIsEnabled)
+        {
+            var shellFeaturesManager = context.RequestServices.GetRequiredService<IShellFeaturesManager>();
+            googleAnalyticsIsEnabled = (await shellFeaturesManager.GetEnabledFeaturesAsync())
+               .Any(feature => feature.Id == "OrchardCore.Google.Analytics");
+        }
+
+        if (googleAnalyticsIsEnabled)
+        {
+            CspHelper.MergeValues(securityPolicies, ScriptSrc, "www.googletagmanager.com");
+        }
+    }
+
+    public static void EnableForCurrentRequest(HttpContext context) => context.Items[HttpContextItemKey] = "enabled";
+}

Lombiq.HelpfulLibraries.OrchardCore/Security/SecurityOrchardCoreBuilderExtensions.cs

@@ -90,7 +90,13 @@ public static OrchardCoreBuilder ConfigureAntiForgeryAlwaysSecure(this OrchardCo
     ///     <item>
     ///         <description>
     ///            Adds <see cref="ReCaptchaContentSecurityPolicyProvider"/> that provides various directives for the
-    ///            <c>Content-Security-Policy</c> header, allowing using a ReCaptcha captcha.
+    ///            <c>Content-Security-Policy</c> header, allowing using ReCaptcha captchas.
+    ///         </description>
+    ///     </item>
+    ///     <item>
+    ///         <description>
+    ///            Adds <see cref="GoogleAnalyticsContentSecurityPolicyProvider"/> that provides various directives for
+    ///            the <c>Content-Security-Policy</c> header, allowing using Google Analytics tracking.
     ///         </description>
     ///     </item>
     ///     <item>
@@ -144,6 +150,7 @@ private static OrchardCoreBuilder ConfigureSecurityDefaultsInner(
                 .AddContentSecurityPolicyProvider<SkipContentSecurityPolicyProvider>()
                 .AddContentSecurityPolicyProvider<BrowserLinkContentSecurityPolicyProvider>()
                 .AddContentSecurityPolicyProvider<ReCaptchaContentSecurityPolicyProvider>()
+                .AddContentSecurityPolicyProvider<GoogleAnalyticsContentSecurityPolicyProvider>()
                 .ConfigureSessionCookieAlwaysSecure(),
             (app, _, serviceProvider) =>
             {