To enhance security, websites define Content Security Policy (CSP), which allows website owners to restrict the content (script/styles/images, etc.) loaded on the page to only trusted (whitelisted) sources. It ensures that no malicious external asset can risk your business or customers by acting as an agent for a trusted website. The browser will reject any content from non-whitelisted sources if the Content-Security-Policy header is defined. To learn more about the importance of CSP and how it works, read this.
VWO running on your website intends to provide your visitors with the campaign experiences you've designed; VWO does not inject unwanted content on your website or gather any Personally Identifiable Information (PII).
To whitelist VWO, add the following rules to your existing Content Security Policy. This enables VWO services to function properly on your website.
- These rules may disable certain protections; however, this is necessary when working with a dynamic AB testing solution like VWO, which relies on dynamic content to make decisions and apply JS and CSS changes. At VWO, we are proactively working to eliminate the need for these.
- Do not directly paste the CSP if you already have one on your website. Carefully append the respective CSP to the existing one.
If you prefer to use the nonce method of whitelisting CSPs, you can use the following:
If you do not use VWO Engage and your account is not enabled with Data360, update your existing CSP policy to include the following:
If you use VWO Engage, update your existing CSP policy to include the following (applies for both Data360 and non-Data360 accounts):