Troubleshooting: Content Security Policy (CSP)

Author: JL Neilsen

Why does this happen?

Your site is configured to restrict one or more security policies through a Content-Security-Policy header and doesn’t explicitly permit access to CrazyEgg.

Solving the Error

Ask your developer to update the Content-Security-Policy (CSP) header in the following way:

  1. Default Policy:
    • Add *.crazyegg.com to the default-src directive.
  2. If you have specific directives for any of the following, also add *.crazyegg.com to them:
    • script-src
    • connect-src
    • style-src
    • frame-src
    • img-src
  3. Web Workers:
    • For best performance, allow blob: in worker-src or child-src.
      • If your CSP policy does not permit blob:, Crazy Egg can fall back to a Crazy Egg-hosted iframe. In that case, add *.crazyegg.com to frame-src.
  4. Surveys & CTAs:
    • If you have a specific style-src directive add 'unsafe-inline' to it.
    • If you are using uploaded images, add: user-images.crazyeggcdn.com to img-src
    • Additionally, allow Google Fonts by adding:
      • fonts.googleapis.com to style-src
      • fonts.gstatic.com to font-src

Here is an example CSP that covers all of these cases:

Content-Security-Policy: 
default-src 'self' *.crazyegg.com;
script-src 'self' *.crazyegg.com;
connect-src 'self' *.crazyegg.com;
style-src 'self' *.crazyegg.com 'unsafe-inline' fonts.googleapis.com;
img-src 'self' *.crazyegg.com user-images.crazyeggcdn.com;
frame-src 'self' *.crazyegg.com;
font-src 'self' fonts.gstatic.com;
worker-src 'self' blob:;
child-src 'self' blob:;
Was this article helpful?
Yes No

Related Articles

Need Support?

Can’t find the answer you’re looking for? Don’t worry we’re here to help!

Submit a request