Content Security Policy (CSP)

If your website uses Content Security Policy (CSP), CookieTractor's scripts and API requests may be blocked by the browser. This is typically shown as error messages in the browser console.

Below are common CSP-related errors that occur when CookieTractor is not allowed in the website's Content Security Policy.

Common CSP errors

script-src - Script blocked

This error occurs when CookieTractor’s script is loaded from a domain that is not allowed by the script-src directive. The browser blocks the script and displays an error in the console containing the text
“violates the following Content Security Policy directive: script-src”,
which means that CookieTractor is not loaded correctly.

Example of a CSP error in the browser console when a script is blocked by script-src

connect-src – API requests blocked

When API requests are blocked by the connect-src directive, the browser displays an error in the console with text such as
“Refused to connect because it violates the document's Content Security Policy” or
“violates the following Content Security Policy directive: connect-src”.

This means that CookieTractor cannot communicate with its services, which may affect features such as saving consent, loading configuration and reporting status back to CookieTractor.

Example of a CSP error in the browser console when an API request is blocked by connect-src

Solution

Add the following domains to your CSP header:

script-src	https://*.cookietractor.com
connect-src	https://*.cookietractor.com
style-src	'unsafe-inline'

Use nonce

CookieTractor support using the nonce attribute on our script tags to avoid having to set style-src to 'unsafe-inline'. Add nonce="{random-value}" to activate this.

Related information

Support

If you have questions about Content Security Policy (CSP) and CookieTractor, feel free to contact us at info@cookietractor.com.