Content Security Policy (CSP)
UpdatedCSP is an optional security protocol (specified via a header or meta data) that requires a web app to identify all the content providers that the web app will make use of. This page outlines the minimum required directives to enable full Customer.io functionality.
Required CSP Directives for Accounts on the US Data Center
script-src assets.customer.io code.gist.build customerioforms.com 'unsafe-inline' 'unsafe-eval';
connect-src track.customer.io customerioforms.com *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src code.gist.build 'unsafe-inline';
img-src track.customer.io;
Required CSP Directives for Accounts on the EU Data Center
script-src assets.customer.io code.gist.build eu.customerioforms.com 'unsafe-inline' 'unsafe-eval';
connect-src track-eu.customer.io eu.customerioforms.com *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src code.gist.build 'unsafe-inline';
img-src track-eu.customer.io;
Glossary of Directives
Directive: script-src
| Host | Description |
|---|---|
| assets.customer.io | Location of the Customer.io javascript file, referenced in the installation snippet. |
| code.gist.build | Location of the services that enable In-App Messaging. |
| customerioforms.com | Location of the services that enable Connected Forms. |
Directive: connect-src
| Host | Description |
|---|---|
| track.customer.io | Required for event communication. |
| customerioforms.com | Required for Connected Forms events. |
| *.api.gist.build, *.cloud.gist.build | Required for In-App Messaging. |
Directive: frame-src
| Host | Description |
|---|---|
| renderer.gist.build, code.gist.build | Required for loading in-app messages. |
Directive: style-src
| Host | Description |
|---|---|
| code.gist.build | Required for adding the in-app message styles to the page. |
Directive: img-src
| Host | Description |
|---|---|
| track.customer.io | Required for pageview tracking. |
Frequently Asked Questions
Are unsafe-inline and unsafe-eval directives required?
Yes, unsafe-inline and unsafe-eval directives are required for javascript and CSS to behave properly.
Can I exclude the directives relating to Connected Forms or In-App Messaging if I don’t plan on using those Customer.io features?
Yes, you can exclude the directives relating to either or both features if you don’t plan on using the features. For Custom Forms, the directives to exclude are:
- customerioforms.com
- eu.customerioforms.com
To remove In-App Messaging directives, exclude:
- *.api.gist.build
- *.cloud.gist.build
- renderer.gist.build
- code.gist.build
