Installing the Freshpaint SDK with a Content Security Policy (CSP)
You may be using a Content Security Policy (CSP) in order to enhance the security of your webpage. Since this restricts how JavaScript resources are loaded, you'll need an engineer to follow a few more steps. You'll know this is an issue when the following console error is triggered when you try to install the Freshpaint snippet:
An engineer will will need to use the hash given in your console error and add it to the allowlist for the 'script-src' in your CSP:
The following urls will also need to be allowlisted on your CSP in order to load the Freshpaint snippet:
https://perfalytics.com/static/js/freshpaint.jshttps://perfalytics.com/static/js/integrations.jshttps://perfalytics.com/static/js/editor.js
If you have adblocker bypass enabled, the urls you will need to allowlist on your CSP will be specific to your account. You'll have to add the specific urls that appear in your console errors to your CSP. For example:
https://<custom_subdomain>.cloudfront.net/static/js/freshpaint.jshttps://<custom_subdomain>.execute-api.us-west-2.amazonaws.com/prodhttps://<custom_subdomain>.cloudfront.net/static/js/integrations.jshttps://<custom_subdomain>.cloudfront.net/static/js/editor.js
If you have client-side app destinations integrated, those will have to be added to the allowlist on the CSP as well. Here is an example of a CSP with ad-blocker bypass enabled with the correct urls allowlisted with a Freshpaint client-side Mixpanel destination integration:
<meta http-equiv="Content-Security-Policy" content="img-src 'self';
script-src 'self' 'sha256-topW5bAl+v+kyY7bBFMyXdN9/0es3zVP+TAWbEMFDAE=' https://*.cloudfront.net/static/js/freshpaint.js https://*.execute-api.us-west-2.amazonaws.com/prod https://*.cloudfront.net/static/js/integrations.js http://cdn.mxpnl.com; style-src 'self'">