Updated CSP to allow https://*.google-analytics.com for Tommy.

public/_headers

@@ -1,13 +1,13 @@
 # Netlify custom headers defined here. Use for pesky CSP, etc.
 
-# /* is for every file served on site.
-/*
+# used for every file served on site.
+
 
   # We need access to our payment gateway.
   Access-Control-Allow-Origin: *
   # Access-Control-Allow-Headers: 'Origin, X-Requested-With, Content-Type, Accept'
 
-  Content-Security-Policy: default-src 'self';   base-uri 'self';   object-src 'none';   connect-src https://*.simpleitsolutions.ch https://gateway.flyzermatt.com/ https://*.bugsnag.com;   font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com;   frame-src https://js.stripe.com  https://player.vimeo.com;    img-src 'self' www.googletagmanager.com;   script-src 'self' 'unsafe-eval' 'unsafe-inline' https://js.stripe.com/v3 https://polyfill.io/v3/polyfill.min.js https://www.googletagmanager.com;   style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/@mdi/font@latest/css/ https://fonts.googleapis.com/;   worker-src 'none';   child-src 'none';   form-action 'self';   frame-ancestors 'self';   upgrade-insecure-requests;
+  Content-Security-Policy: default-src 'self';   base-uri 'self';   object-src 'none';   connect-src https://*.simpleitsolutions.ch https://gateway.flyzermatt.com/ https://*.bugsnag.com  https://*.google-analytics.com;   font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com;   frame-src https://js.stripe.com  https://player.vimeo.com;    img-src 'self' www.googletagmanager.com https://*.google-analytics.com;   script-src 'self' 'unsafe-eval' 'unsafe-inline' https://js.stripe.com/v3 https://polyfill.io/v3/polyfill.min.js https://www.googletagmanager.com;   style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/@mdi/font@latest/css/ https://fonts.googleapis.com/;   worker-src 'none';   child-src 'none';   form-action 'self';   frame-ancestors 'self';   upgrade-insecure-requests;
 
   Referrer-Policy: strict-origin