Prevent Google Analytics from making requests to stats.g.doubleclick.net

TIL why Google Analytics makes requests to stats.g.doubleclick.net and how to prevent Google Analytics from making these requests.

A couple days ago I implemented a Content Security Policy (CSP)—I will soon blog about the actual implementation. I tested the CSP and in dev mode everything worked. Yesterday I deployed the CSP on my website and to my surprise I got several reports of an attempt to violate my CSP:

"csp-report": {
    "document-uri": "https://tonnygaric.com/",
    "effective-directive": "img-src",
    "original-policy": "default-src 'none'; frame-ancestors 'none'; base-uri 'self'; font-src 'self'; frame-src https://disqus.com; img-src 'self' https://tonnygaric.com data: https://www.google-analytics.com https://c.disquscdn.com/next/embed/assets/img/loader-bg.173909e4737a7481df14d5492b5eeb48.png https://referrer.disqus.com/juggler/stat.gif; script-src 'self' https://c.disquscdn.com/next/embed/common.bundle.8edffe1405dcc2d5eb5ee9d96a2866d1.js https://c.disquscdn.com/next/embed/lounge.bundle.329e132f404e98b8a5595dd712187b0e.js https://disqus.com/next/config.js https://tonnygaric.disqus.com/embed.js https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/js; style-src 'self' https://c.disquscdn.com/next/embed/styles/; report-uri https://tonnygaric.report-uri.com/r/d/csp/enforce",
    "blocked-uri": "https://stats.g.doubleclick.net"
}

In Chrome I opened tonnygaric.com and Dev Tools, then I saw a message that Chrome refused to load the following image:

https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-104058193-1&cid=16863422.1 (...)

because it violates the directive img-src from my CSP.

If I go to URL of the image myself, I get a HTTP 302 and get redirected to:

https://www.google.nl/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-104058193-1&cid=1686 (...)

Note that I see my Google Analytics (GA) tracking ID in the query string parameters &tid=UA-104058193-1.

Hmm. It looks like GA makes a request to stats.g.doubleclick.net.

What is the relation between DoubleClick and GA?

Google says that GA reads the DoubleClick cookie to get information about Display Features—which can be used to enable Advertising Features in GA.

What is the difference between DoubleClick and GA?

According to Google:

  • DoubleClick: Ad management and reporting ad metrics such as clicks and impressions.
  • GA: Insights on website traffic and where the traffic came from.

Why is a request made to stats.g.doubleclick.net?

Apparently, for users that have enabled remarketing with GA, a third-party DoubleClick cookie is used to enable remarketing—for products like AdWords on the Google Display Network. If you enable this feature, information—including the third-party DoubleClick cookie—is sent to the Analytics servers.

I can not remember that I enabled this feature and I do not see anything in my JavaScript files that suggests a request to DoubleClick. This request is not needed for GA to work properly and it only makes the response time longer. Even though the request is blocked by my CSP, the best thing to do is to prevent GA to make the request.

How to prevent GA making requests to DoubleClick?

The answer is pretty simple. Go to GA -> Admin -> Tracking info -> Data Collection -> disable both toggles and click on save. It can take up to 24 hours for the changes to take effect.

Google Analytics made a request to stats.g.doubleclick.net and violated my CSP

SHARE THIS ARTICLE