The Smartlook script can be added to a page without compromising content security in compliance with the Content-Security-Policy (CSP) directives. More on the CSP can be found here.

For Smartlook to work with your CSP directive, four things are required: 

  1. To add domains https://*.smartlook.com https://*.smartlook.cloud  to script-src  and connect-src directives
  2. Add blob: to worker-src  directive 
  3. Add 'unsafe-eval' to script-src  directive
  4. To add a nonce or a hash of the Smartlook inline script (you intend to use) to the script-src directive 

Here’s a CSP example usage on a  website, that is loading scripts only from its own domain and making requests to its own domain, with the addition of the Smartlook script:

Content-Security-Policy: default-src 'self'; script-src 'self' https://*.smartlook.com https://*.smartlook.cloud 'nonce-randomlyGeneratedBase64Nonce' 'unsafe-eval'; connect-src 'self' https://*.smartlook.com https://*.smartlook.cloud; worker-src 'self' blob:

And on page it would look something like this:

<script nonce="randomlyGeneratedBase64Nonce">...Your Smartlook Tracking Script...</script>

More information about nonce and script content hash can be found on Mozzila’s CSP: script-src web page.

One thing to note, we recommend you not to use ‘unsafe-inline’ in any directive as it can render the CSP insecure and pages can become vulnerable to cross-site scripting (XSS) and other forms of attacks.

Did this answer your question?