Content Security Policy (CSP)

Updated

CSP is an optional security protocol (specified via a header or meta data) that requires a web app to identify all the content providers that the web app will make use of. This page outlines the minimum required directives to enable full Customer.io functionality.

Required CSP Directives for Accounts on the US Data Center

script-src assets.customer.io code.gist.build customerioforms.com 'unsafe-inline' 'unsafe-eval';
connect-src track.customer.io customerioforms.com *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src code.gist.build 'unsafe-inline';
img-src track.customer.io;

Required CSP Directives for Accounts on the EU Data Center

script-src assets.customer.io code.gist.build eu.customerioforms.com 'unsafe-inline' 'unsafe-eval';
connect-src track-eu.customer.io eu.customerioforms.com *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src code.gist.build 'unsafe-inline';
img-src track-eu.customer.io;

Glossary of Directives

Directive: script-src

HostDescription
assets.customer.ioLocation of the Customer.io javascript file, referenced in the installation snippet.
code.gist.buildLocation of the services that enable In-App Messaging.
customerioforms.comLocation of the services that enable Connected Forms.

Directive: connect-src

HostDescription
track.customer.ioRequired for event communication.
customerioforms.comRequired for Connected Forms events.
*.api.gist.build, *.cloud.gist.buildRequired for In-App Messaging.

Directive: frame-src

HostDescription
renderer.gist.build, code.gist.buildRequired for loading in-app messages.

Directive: style-src

HostDescription
code.gist.buildRequired for adding the in-app message styles to the page.

Directive: img-src

HostDescription
track.customer.ioRequired for pageview tracking.

Frequently Asked Questions

Are unsafe-inline and unsafe-eval directives required?

Yes, unsafe-inline and unsafe-eval directives are required for javascript and CSS to behave properly.

Can I exclude the directives relating to Connected Forms or In-App Messaging if I don’t plan on using those Customer.io features?

Yes, you can exclude the directives relating to either or both features if you don’t plan on using the features. For Custom Forms, the directives to exclude are:

  • customerioforms.com
  • eu.customerioforms.com

To remove In-App Messaging directives, exclude:

  • *.api.gist.build
  • *.cloud.gist.build
  • renderer.gist.build
  • code.gist.build
Copied to clipboard!
  Contents
Current release
 3.4.1
Is this page helpful?