Installing the Freshpaint SDK with a Content Security Policy (CSP)
PreviousInstalling the Freshpaint Javascript SDKNextInstalling the Freshpaint Javascript SDK with Server-Side Rendering (SSR) + React
Last updated
Was this helpful?
Last updated
Was this helpful?
You may be using a Content Security Policy (CSP) in order to enhance the security of your webpage. Since this restricts how JavaScript resources are loaded, you'll need an engineer to follow a few more steps. You'll know this is an issue when the following console error is triggered when you try to install the Freshpaint snippet:
An engineer will need to use the hash given in your console error and add it to the allowlist for the 'script-src' in your CSP:
The following urls will need to be allowlisted on your CSP in order to load the Freshpaint snippet:
https://perfalytics.com/static/js/freshpaint.js
https://perfalytics.com/static/js/integrations.js
https://perfalytics.com/static/js/editor.js
The following domains will also need to be allowlisted:
script-src:
https://freshpaint-cdn.com
https://perfalytics.com
script-src-elem:
https://freshpaint-cdn.com
https://perfalytics.com
connect-src:
https://*.perfalytics.com
https://perfalytics.com
'unsafe-eval':
Using unsafe-eval in a Content Security Policy (CSP) allows the execution of arbitrary JavaScript code, increasing the risk of cross-site scripting (XSS) vulnerabilities. Only add this if using the Freshpaint Tag Manager or Dynamic Event Properties features.
If you have adblocker bypass enabled, the urls you will need to allowlist on your CSP will be specific to your account. You'll have to add the specific urls that appear in your console errors to your CSP. For example:
https://<custom_subdomain>.cloudfront.net/static/js/freshpaint.js
https://<custom_subdomain>.execute-api.us-west-2.amazonaws.com/prod
https://<custom_subdomain>.cloudfront.net/static/js/integrations.js
https://<custom_subdomain>.cloudfront.net/static/js/editor.js
If you have client-side app destinations integrated, those will have to be added to the allowlist on the CSP as well. Here is an example of a CSP with ad-blocker bypass enabled with the correct urls allowlisted with a Freshpaint client-side Mixpanel destination integration:
For more information, please .
and both rely on the unsafe-eval source expression in order to execute your associated JavaScript. If you are using these features, you must add this expression to your CSP.
