
Why does this happen?
Your site is configured to restrict one or more security policies through a Content-Security-Policy header and doesn’t explicitly permit access to CrazyEgg.
Solving the Error
Ask your developer to update the Content-Security-Policy (CSP) header in the following way:
- Default Policy:
- Add
*.crazyegg.com
to the default-src
directive.
- Add
- If you have specific directives for any of the following, also add
*.crazyegg.com
to them:script-src
connect-src
style-src
frame-src
img-src
- Handling
blob:
:- If your CSP includes
worker-src
orchild-src
, addblob:
to those directives. - Otherwise, add
blob:
to thedefault-src
directive.
- If your CSP includes
- Surveys & CTAs:
- If you have a specific
style-src
directive add'unsafe-inline'
to it. - Additionally, allow Google Fonts by adding:
fonts.googleapis.com
tostyle-src
fonts.gstatic.com
tofont-src
- If you have a specific
Here is an example CSP that covers all of these cases:
Content-Security-Policy:
default-src 'self' *.crazyegg.com blob:;
script-src 'self' *.crazyegg.com;
connect-src 'self' *.crazyegg.com;
style-src 'self' *.crazyegg.com 'unsafe-inline' fonts.googleapis.com;
img-src 'self' *.crazyegg.com;
iframe-src 'self' *.crazyegg.com;
font-src 'self' fonts.gstatic.com;
worker-src 'self' blob:;
child-src 'self' blob:;