Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in a trusted web page context. If your website uses CSP and you plan to integrate the Cometly tracking pixel, you'll need to adjust your CSP settings to ensure the pixel functions correctly.
This guide will help you configure your CSP to work seamlessly with the Cometly pixel.
Why Adjust Your CSP for Cometly?
By default, CSP restricts the sources from which your website can load resources like scripts, styles, and images. Since the Cometly pixel loads an external script and sends data back to Cometly servers, your CSP may block these actions unless explicitly allowed.
The Cometly pixel:
Loads a script from
https://t.cometlytrack.comAutomatically fires an
initevent upon loading, which involves network requests to Cometly's servers
To ensure the pixel operates without issues, you'll need to update your CSP to permit these actions.
Updating Your CSP Directives
Here are the CSP directives you need to adjust:
script-src: Allows loading scripts from specified sources.connect-src: Permits sending data to specified endpoints.
Example CSP Configuration
Content-Security-Policy:
script-src 'self' https://t.cometlytrack.com;
connect-src 'self' https://t.cometlytrack.com;
Breakdown:
script-src: Addshttps://t.cometlytrack.comto allow loading the Cometly pixel script.connect-src: Includeshttps://t.cometlytrack.comto permit network requests made by the pixel, including the automaticinitevent.