University
Webinars
Community
Help Center
Technical Docs
Contentsquare Platform

Content security policy

Your website might use a Content Security Policy (CSP) to secure it. For our tracking tag to still work on your websites, you need to add to your trusted sources of script execution, the sources used by the tracking tag.

Quick setup

Section titled Quick setup

Here is the minimal CSP configuration the tracking tag needs to function.

script-src 'unsafe-inline' t.contentsquare.net app.contentsquare.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net; connect-src *.contentsquare.net; frame-src csxd.{crossdomain}


// with a {crossdomain} for any domain for which cross domain tracking is required (only where applicable)

Directives and values

Section titled Directives and values

script-src 'unsafe-inline' t.contentsquare.net

Section titled script-src 'unsafe-inline' t.contentsquare.net

The tracking tag comes from the domain t.contentsquare.net, so you need to authorize it. The tracking tag is usually loaded by a small inline script, so you need to allow loading scripts from ‘unsafe-inline’. Even if you load the tracking tag by other means, you’ll need ‘unsafe-inline’ for cross domain tracking, since our cross domain iframe uses inline scripts.

script-src app.contentsquare.com

Section titled script-src app.contentsquare.com

app.contentsquare.com is not used by tracking-tag to collect data. However, when creating a zoning from Contentsquare application, a script is injected in an iframe to assist in-page analysis and zoning creation.

child-src blob: / worker-src blob:

Section titled child-src blob: / worker-src blob:

We use web workers, built from a blob URL containing the body of a function as a string. Origins of protocol blob: thus need to be authorized for workers.

img-src *.contentsquare.net

Section titled img-src *.contentsquare.net

We use calls to fake images to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for images. We use a wildcard since different subdomains could be added at any time. We do not recommend specifying exact subdomains instead of a wildcard.

connect-src *.contentsquare.net

Section titled connect-src *.contentsquare.net

We use XMLHttpRequest to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for HTTP APIs. We use a wildcard since different subdomains could be added at any time. We do not recommend specifying exact subdomains instead of a wildcard.

frame-src csxd.{crossdomain}

Section titled frame-src csxd.{crossdomain}

If cross domain tracking is active, the tracking tag will need to load iframes to function. The tag will load one iframe for each domain for which cross domain tracking is active. (Example: frame-src csxd.domain1.com csxd.domain2.com)