University
Webinars
Community
Help Center
Technical Docs
Contentsquare Platform

Content security policy

If your website uses a Content Security Policy (CSP), ensure the sources of content required by the tracking tag are included in the list of trusted sources for script execution.

The following CSP configuration allows the tag to function for the majority of websites:

Content-Security-Policy: script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net; connect-src *.contentsquare.net *.contentsquare.com; frame-src csxd.{crossdomain}

Directives and values

Section titled Directives and values

script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com

Section titled script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com

The tracking tag comes from the domain t.contentsquare.net. Optional modules are loaded from additional contentsquare.net subdomains. The tracking tag is usually loaded by a small inline script, so you need to allow loading scripts from unsafe-inline. Even if you load the tracking tag by other means, you’ll need unsafe-inline for cross domain tracking, since our cross domain iframe uses inline scripts.

app.contentsquare.com is not used by tracking tag to collect data. However, when creating a zoning from Contentsquare application, a script is injected in an iframe to assist in-page analysis and zoning creation.

child-src blob: / worker-src blob:

Section titled child-src blob: / worker-src blob:

We use Web Workers, built from a blob URL containing the body of a function as a string. Origins of protocol blob: thus need to be authorized.

img-src *.contentsquare.net

Section titled img-src *.contentsquare.net

We use calls to fake images to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for images. We use a wildcard since different subdomains could be added at any time. We discourage specifying exact subdomains.

connect-src *.contentsquare.net *.contentsquare.com

Section titled connect-src *.contentsquare.net *.contentsquare.com

We use XMLHttpRequest (XHR) to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for HTTP APIs. We use a wildcard since different subdomains could be added at any time. We discourage specifying exact subdomains.

frame-src csxd.{crossdomain}

Section titled frame-src csxd.{crossdomain}

If cross domain tracking is active, the tracking tag will need to load iframes to function. The tag will load one iframe for each domain for which cross domain tracking is active so you need to add them as in: frame-src csxd.domain1.com csxd.domain2.com.