--- title: Content Security Policy (CSP) - Web description: List of directives, values, and domains required by the Tag lastUpdated: 11 March 2026 source_url: html: https://docs.contentsquare.com/en/web/content-security-policy/ md: https://docs.contentsquare.com/en/web/content-security-policy/index.md --- > Documentation index: https://docs.contentsquare.com/llms.txt > Use this file to discover all available pages before exploring further. If your website uses a Content Security Policy (CSP), ensure the sources of content required by the tracking tag are included in the list of trusted sources for script execution. ## Experience Analytics The following CSP configuration allows the tag to function for the majority of websites running Experience Analytics: ```http Content-Security-Policy: script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net; connect-src *.contentsquare.net *.contentsquare.com; frame-src csxd.{crossdomain} ``` Wildcards The configuration uses `*.contentsquare.net` and `*.contentsquare.com` wildcards to cover multiple subdomains associated with various capabilities, such as Zoning, Session Replay, and Static Asset Management. This approach ensures forward compatibility by accommodating future additions of subdomains. ### `script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com` The tracking tag comes from the domain `t.contentsquare.net`. Optional modules are loaded from additional `contentsquare.net` subdomains. The tracking tag is usually loaded by a small inline script, so you need to allow loading scripts from `unsafe-inline`. Even if you load the tracking tag by other means, you'll need `unsafe-inline` for cross domain tracking, since our cross domain iframe uses inline scripts. `app.contentsquare.com` is not used by tracking tag to collect data. However, when creating a zoning from Contentsquare application, a script is injected in an iframe to assist in-page analysis and zoning creation. ### `child-src blob:` / `worker-src blob:` We use Web Workers, built from a blob URL containing the body of a function as a string. Origins of protocol `blob`: thus need to be authorized. ### `img-src *.contentsquare.net` We use calls to fake images to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for images. ### `connect-src *.contentsquare.net *.contentsquare.com` We use `XMLHttpRequest` (XHR) to send tracked data to our servers. This is why our tracking subdomains need to be authorized sources for HTTP APIs. ### `frame-src csxd.{crossdomain}` If cross domain tracking is active, the Tag will need to load iframes to work. The tag will load an iframe for each domain where cross domain tracking is active. You need to add them like this: `frame-src csxd.domain1.com csxd.domain2.com`. ## Voice of Customer Add the following directive for VoC: ```http Content-Security-Policy: script-src 'unsafe-inline' *.contentsquare.net app.contentsquare.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net; connect-src *.contentsquare.net *.contentsquare.com; frame-src csxd.{crossdomain} style-src: unsafe-inline ``` ### `style-src: unsafe-inline` Voice of Customer widgets apply styles by injecting them inline at runtime when rendering a survey. ## Product Analytics (Visual Labeler) Add the following directives for Product Analytics: * US ```http Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' *.contentsquare.net app.contentsquare.com https://cdn.heapanalytics.com https://heapanalytics.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net https://heapanalytics.com; connect-src *.contentsquare.net *.contentsquare.com https://heapanalytics.com; frame-src csxd.{crossdomain}; style-src https://heapanalytics.com; font-src https://heapanalytics.com ``` ### `script-src 'unsafe-inline' 'unsafe-eval' https://cdn.heapanalytics.com https://heapanalytics.com;` Loads the Visual Labeler script ### `img-src https://heapanalytics.com;` Loads the Visual Labeler image assets ### `connect-src https://heapanalytics.com;` Used by Visual Labeler to fetch environment settings ### `style-src https://heapanalytics.com;` Loads the Visual Labeler stylesheets ### `font-src https://heapanalytics.com;` Loads the Visual Labeler custom fonts * EU ```http Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' *.contentsquare.net app.contentsquare.com https://cdn.eu.heap-api.com https://cdn.us.heap-api.com https://heapanalytics.com https://eu.heapanalytics.com; child-src blob:; worker-src blob:; img-src *.contentsquare.net https://heapanalytics.com https://eu.heapanalytics.com; connect-src *.contentsquare.net *.contentsquare.com https://c.eu.heap-api.com https://heapanalytics.com https://eu.heapanalytics.com; frame-src csxd.{crossdomain}; style-src https://heapanalytics.com https://eu.heapanalytics.com; font-src https://heapanalytics.com https://eu.heapanalytics.com ``` ### `script-src 'unsafe-inline' 'unsafe-eval' https://cdn.eu.heap-api.com https://cdn.us.heap-api.com https://heapanalytics.com https://eu.heapanalytics.com;` Loads the Visual Labeler script ### `img-src https://heapanalytics.com https://eu.heapanalytics.com;` Loads the Visual Labeler image assets ### `connect-src https://c.eu.heap-api.com https://heapanalytics.com https://eu.heapanalytics.com;` Used by Visual Labeler to fetch environment settings ### `style-src https://heapanalytics.com https://eu.heapanalytics.com;` Loads the Visual Labeler stylesheets ### `font-src https://heapanalytics.com https://eu.heapanalytics.com;` Loads the Visual Labeler custom fonts