Similar to #4, but CSP headers need to be added even if it's not served from a custom subdomain. I think these instructions should be much more upfront, maybe here: https://docs.plausible.io/plausible-script
In particular I think it would be helpful to note specifically which CSP policies need to be edited, and provide some examples. e.g.
Lax CSP (simple and future proof):
Content-Security-Policy: default-src 'self' *.plausible.io
Stricter CSP (more precise, but can break if the implementation is changed, like reporting back to a different subdomain) (the script-src and connect-src policies need to be merged with any other existing domains for those directives
Content-Security-Policy: default-src 'self'; script-src plausible.io; connect-src plausible.io
Thanks for your work on this, giving this service a try now with the hope of replacing GA.
Similar to #4, but CSP headers need to be added even if it's not served from a custom subdomain. I think these instructions should be much more upfront, maybe here: https://docs.plausible.io/plausible-script
In particular I think it would be helpful to note specifically which CSP policies need to be edited, and provide some examples. e.g.
Lax CSP (simple and future proof):
Stricter CSP (more precise, but can break if the implementation is changed, like reporting back to a different subdomain) (the
script-srcandconnect-srcpolicies need to be merged with any other existing domains for those directivesThanks for your work on this, giving this service a try now with the hope of replacing GA.