diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml
index 7b9434d6f3..795dbf66a1 100755
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@@ -38,6 +38,15 @@
 
     = yield :header_tags
 
+    %script(src="https://www.googletagmanager.com/gtag/js?id=AW-11130587137" async)
+
+    :javascript
+      window.dataLayer = window.dataLayer || [];
+      function gtag(){dataLayer.push(arguments);}
+      gtag('js', new Date());
+
+      gtag('config', 'AW-11130587137');
+
   %body{ class: body_classes }
     = content_for?(:content) ? yield(:content) : yield
 
diff --git a/app/views/shared/_web_app.html.haml b/app/views/shared/_web_app.html.haml
index 1964173bb5..998cee9fa9 100644
--- a/app/views/shared/_web_app.html.haml
+++ b/app/views/shared/_web_app.html.haml
@@ -9,15 +9,6 @@
   = render_initial_state
   = javascript_pack_tag 'application', crossorigin: 'anonymous'
 
-  %script(src="https://www.googletagmanager.com/gtag/js?id=AW-11130587137" async)
-
-  :javascript
-    window.dataLayer = window.dataLayer || [];
-    function gtag(){dataLayer.push(arguments);}
-    gtag('js', new Date());
-
-    gtag('config', 'AW-11130587137');
-
 .notranslate.app-holder#mastodon{ data: { props: Oj.dump(default_props) } }
   %noscript
     = image_pack_tag 'logo.svg', alt: 'Mastodon'
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index beefa5c1cf..aaeb862cba 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -19,6 +19,8 @@ media_host ||= assets_host
 google_host = 'https://www.googletagmanager.com'
 google_host2 = 'https://googleads.g.doubleclick.net'
 google_host3 = 'https://www.googleadservices.com'
+google_host4 = 'https://www.google.co.jp'
+google_host5 = 'https://www.google.com'
 google_tag_script_hash = "'sha256-CS1WvLDd3zJOdxpEk+N+VigcWMa6V345p2HS0WYiFWE='"
 
 Rails.application.config.content_security_policy do |p|
@@ -42,7 +44,7 @@ Rails.application.config.content_security_policy do |p|
     p.worker_src  :self, :blob, assets_host
   else
     p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url
-    p.script_src  :self, assets_host, "'wasm-unsafe-eval'", google_host, google_host2, google_host3, google_tag_script_hash
+    p.script_src  :self, assets_host, "'wasm-unsafe-eval'", google_host, google_host2, google_host3, google_host4, google_host5, google_tag_script_hash
     p.child_src   :self, :blob, assets_host
     p.worker_src  :self, :blob, assets_host
   end