Skip to content

Commit df18dca

Browse files
committed
fix: actualizar política de seguridad de contenido mediante metadato CSP
- Habilitar de forma segura la ejecución y transferencia de datos para endpints de Google
1 parent d32c19f commit df18dca

2 files changed

Lines changed: 72 additions & 16 deletions

File tree

src/components/global/Footer.astro

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -354,10 +354,13 @@ const legalItems = [
354354
form.reset();
355355

356356
(window as any).gtag("event", "generate_lead", {
357-
event_category: "form",
358-
event_label: "contact_form_success",
357+
form_name: "contact",
358+
page_location: window.location.href,
359+
page_title: document.title,
359360
});
360361

362+
console.log("Evento generate_lead enviado");
363+
361364
showFeedback(headerSuccess); // Mostramos bloque de éxito
362365
} else {
363366
showFeedback(headerError); // Mostramos bloque de error si Formspree rechaza

src/layouts/Layout.astro

Lines changed: 67 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,8 @@ interface Props {
2121
// que en /en, sin depender de un segmento dinámico de ruta.
2222
const { title, description, pageName, lang = 'es' } = Astro.props;
2323
24+
const googleAnalyticsId = 'G-7XZMZNVW3L';
2425
const googleAdsId = 'AW-18316357590';
25-
const googleAnalyticsId = 'G-VJ80VBL1L4';
2626
2727
const siteUrl = siteConfig.url;
2828
const subpath = pageName === 'home' ? '' : pageName;
@@ -86,13 +86,56 @@ const ogLocale = lang === 'es' ? 'es_CO' : 'en_US';
8686
<meta name="twitter:image" content={ogImageUrl} />
8787

8888
<!-- Política de Seguridad de Contenido (CSP) para mitigar XSS y Clickjacking -->
89-
<meta http-equiv="Content-Security-Policy" content="
90-
default-src 'self';
91-
script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com blob:;
92-
connect-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://www.google.com https://www.google.co.id https://formspree.io;
93-
img-src 'self' data: https://www.google-analytics.com https://www.google.com https://www.google.co.id https://www.google.com.co https://googleads.g.doubleclick.net https://www.googleadservices.com;
94-
font-src 'self' data:;
95-
" />
89+
<meta
90+
http-equiv="Content-Security-Policy"
91+
content="
92+
default-src 'self';
93+
94+
script-src
95+
'self'
96+
'unsafe-inline'
97+
blob:
98+
https://www.googletagmanager.com
99+
https://www.google-analytics.com
100+
https://ssl.google-analytics.com;
101+
102+
connect-src
103+
'self'
104+
https://www.googletagmanager.com
105+
https://www.google-analytics.com
106+
https://region1.google-analytics.com
107+
https://stats.g.doubleclick.net
108+
https://www.google.com
109+
https://www.google.co.id
110+
https://www.google.com.co
111+
https://formspree.io;
112+
113+
img-src
114+
'self'
115+
data:
116+
https://www.googletagmanager.com
117+
https://www.google-analytics.com
118+
https://stats.g.doubleclick.net
119+
https://www.google.com
120+
https://www.google.co.id
121+
https://www.google.com.co
122+
https://googleads.g.doubleclick.net
123+
https://www.googleadservices.com;
124+
125+
style-src
126+
'self'
127+
'unsafe-inline';
128+
129+
font-src
130+
'self'
131+
data:;
132+
133+
frame-src
134+
'self'
135+
https://www.googletagmanager.com
136+
https://www.google.com;
137+
"
138+
/>
96139

97140
<!-- Google Consent Mode v2 — SIEMPRE primero, antes de cargar gtag.js.
98141
Por defecto TODO denegado: no se activan cookies de analítica ni de
@@ -129,17 +172,23 @@ const ogLocale = lang === 'es' ? 'es_CO' : 'en_US';
129172
navegador esté ocioso o a la primera interacción. Los comandos
130173
(js/config) se encolan de inmediato y gtag.js los procesa al cargar,
131174
respetando el consentimiento por defecto (denegado). -->
132-
{googleAdsId && googleAnalyticsId && (
133-
<script is:inline define:vars={{ googleAdsId, googleAnalyticsId }}>
175+
{googleAnalyticsId && googleAdsId && (
176+
<script is:inline define:vars={{ googleAnalyticsId, googleAdsId }}>
134177
gtag("js", new Date());
178+
179+
// Google Analytics
135180
gtag("config", googleAnalyticsId);
181+
182+
// Google Ads
136183
gtag("config", googleAdsId);
137184

138-
var gtagLoaded = false;
185+
let gtagLoaded = false;
186+
139187
function loadGtag() {
140188
if (gtagLoaded) return;
141189
gtagLoaded = true;
142-
var s = document.createElement("script");
190+
191+
const s = document.createElement("script");
143192
s.async = true;
144193
s.src = `https://www.googletagmanager.com/gtag/js?id=${googleAnalyticsId}`;
145194
document.head.appendChild(s);
@@ -150,8 +199,12 @@ const ogLocale = lang === 'es' ? 'es_CO' : 'en_US';
150199
} else {
151200
setTimeout(loadGtag, 3000);
152201
}
153-
["scroll", "pointerdown", "keydown", "touchstart"].forEach(function (ev) {
154-
window.addEventListener(ev, loadGtag, { once: true, passive: true });
202+
203+
["scroll", "pointerdown", "keydown", "touchstart"].forEach((ev) => {
204+
window.addEventListener(ev, loadGtag, {
205+
once: true,
206+
passive: true,
207+
});
155208
});
156209
</script>
157210
)}

0 commit comments

Comments
 (0)