Content security policy

If your website uses a Content Security Policy (CSP), ensure the sources of content required by the tracking tag are included in the list of trusted sources for script execution.

The following CSP configuration allows the tag to function for the majority of websites running Experience Analytics:

Content-Security-Policy: script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net; connect-src *.contentsquare.net *.contentsquare.com; frame-src csxd.{crossdomain}

script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com

The tracking tag comes from the domain t.contentsquare.net. Optional modules are loaded from additional contentsquare.net subdomains. The tracking tag is usually loaded by a small inline script, so you need to allow loading scripts from unsafe-inline. Even if you load the tracking tag by other means, you’ll need unsafe-inline for cross domain tracking, since our cross domain iframe uses inline scripts.

app.contentsquare.com is not used by tracking tag to collect data. However, when creating a zoning from Contentsquare application, a script is injected in an iframe to assist in-page analysis and zoning creation.

child-src blob: / worker-src blob:

We use Web Workers, built from a blob URL containing the body of a function as a string. Origins of protocol blob: thus need to be authorized.

img-src *.contentsquare.net

We use calls to fake images to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for images.

connect-src *.contentsquare.net *.contentsquare.com

We use XMLHttpRequest (XHR) to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for HTTP APIs.

frame-src csxd.{crossdomain}

If cross domain tracking is active, the Tag will need to load iframes to work. The tag will load an iframe for each domain where cross domain tracking is active. You need to add them like this: frame-src csxd.domain1.com csxd.domain2.com.

Add the following directive for VoC:

Content-Security-Policy: script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net; connect-src *.contentsquare.net *.contentsquare.com; frame-src csxd.{crossdomain} style-src: unsafe-inline

style-src: unsafe-inline

Voice of Customer widgets apply styles by injecting them inline at runtime when rendering a survey.

Add the following directives for Product Analytics:

Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' *.contentsquare.net app.contentsquare.com https://cdn.heapanalytics.com https://heapanalytics.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net https://heapanalytics.com; connect-src *.contentsquare.net *.contentsquare.com https://heapanalytics.com; frame-src csxd.{crossdomain}; style-src https://heapanalytics.com; font-src https://heapanalytics.com

Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' *.contentsquare.net app.contentsquare.com https://cdn.eu.heap-api.com https://cdn.us.heap-api.com https://heapanalytics.com https://eu.heapanalytics.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net https://heapanalytics.com https://eu.heapanalytics.com; connect-src *.contentsquare.net *.contentsquare.com https://c.eu.heap-api.com https://heapanalytics.com https://eu.heapanalytics.com; frame-src csxd.{crossdomain}; style-src https://heapanalytics.com https://eu.heapanalytics.com; font-src https://heapanalytics.com https://eu.heapanalytics.com