Content Security Policy (CSP) & Smartlook
The Smartlook script can be added to a page without compromising content security in compliance with the Content-Security-Policy (CSP) directives. More on the CSP can be found here.
For Smartlook to work with your CSP directive, two things are required:
- To add domains
https://*.smartlook.com https://*.smartlook.cloud
toscript-src
andconnect-src
directives - To add a nonce or a hash of the Smartlook inline script (you intend to use) to the script-src directive
Please make sure the domains you are adding to
script-src
andconnect-src
directives are starting with "" (i.e. `https://.smartlook.com https://*.smartlook.cloud` as we do have multiple instances of web writer. Whitelisting just some subdomains may still result in CSP related issues for some visitors.
Here’s a CSP example usage on a website, that is loading scripts only from its own domain and making requests to its own domain, with the addition of the Smartlook script:
Content-Security-Policy: default-src 'self'; script-src 'self' https://*.smartlook.com https://*.smartlook.cloud 'nonce-randomlyGeneratedBase64Nonce'; connect-src 'self' https://*.smartlook.com https://*.smartlook.cloud;
And on the page it would look something like this:
<script nonce="randomlyGeneratedBase64Nonce">...Your Smartlook Tracking Script...</script>
More information about nonce and script content hash can be found on Mozilla's CSP: script-src web page.
One thing to note, we recommend you not to use ‘unsafe-inline’ in any directive as it can render the CSP insecure and pages can become vulnerable to cross-site scripting (XSS) and other forms of attacks.
Updated almost 2 years ago