Content security policy

If your website uses a Content Security Policy (CSP), ensure the sources of content required by the tracking tag are included in the list of trusted sources for script execution.

The following CSP configuration allows the tag to function for the majority of websites:

Content-Security-Policy: script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net; connect-src *.contentsquare.net *.contentsquare.com; frame-src csxd.{crossdomain}

script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com

Section titled script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com

The tracking tag comes from the domain t.contentsquare.net. Optional modules are loaded from additional contentsquare.net subdomains. The tracking tag is usually loaded by a small inline script, so you need to allow loading scripts from unsafe-inline. Even if you load the tracking tag by other means, you’ll need unsafe-inline for cross domain tracking, since our cross domain iframe uses inline scripts.

app.contentsquare.com is not used by tracking tag to collect data. However, when creating a zoning from Contentsquare application, a script is injected in an iframe to assist in-page analysis and zoning creation.

child-src blob: / worker-src blob:

Section titled child-src blob: / worker-src blob:

We use Web Workers, built from a blob URL containing the body of a function as a string. Origins of protocol blob: thus need to be authorized.

We use calls to fake images to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for images.

connect-src *.contentsquare.net *.contentsquare.com

Section titled connect-src *.contentsquare.net *.contentsquare.com

We use XMLHttpRequest (XHR) to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for HTTP APIs.

If cross domain tracking is active, the Tag will need to load iframes to work. The tag will load an iframe for each domain where cross domain tracking is active. You need to add them like this: frame-src csxd.domain1.com csxd.domain2.com.

Voice of Customer

Voice of Customer widgets apply styles by injecting them inline at runtime when rendering a survey.

script-src 'unsafe-inline' 'unsafe-eval' https://cdn.heapanalytics.com https://heapanalytics.com;

Section titled script-src 'unsafe-inline' 'unsafe-eval' https://cdn.heapanalytics.com https://heapanalytics.com;
Product Analytics

Loads the Visual Labeler script

img-src https://heapanalytics.com;

Section titled img-src https://heapanalytics.com;
Product Analytics

Loads the Visual Labeler image assets

connect-src https://heapanalytics.com;

Section titled connect-src https://heapanalytics.com;
Product Analytics

Used by Visual Labeler to fetch environment settings

style-src https://heapanalytics.com;

Section titled style-src https://heapanalytics.com;
Product Analytics

Loads the Visual Labeler stylesheets

font-src https://heapanalytics.com;

Section titled font-src https://heapanalytics.com;
Product Analytics

Loads the Visual Labeler custom fonts