All files / src/lib csp-allowlist.ts

100% Statements 1/1
100% Branches 0/0
100% Functions 0/0
100% Lines 1/1

Press n or j to go to the next uncovered block, b, p or k for the previous block.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58                    2x                                                                                              
// Third-party origins permitted by the marketplace Content Security Policy.
//
// One entry per directive. To enable a new marketing/analytics vendor, append
// its origins to the relevant arrays here — no middleware logic changes
// required. Keep entries grouped by vendor (with a comment) so a future reader
// can see who needs what and remove a vendor cleanly when retiring a tag.
//
// Wildcards (`https://*.example.com`) are honoured by CSP — use them sparingly
// and only when the vendor genuinely uses dynamic subdomains.
 
export const CSP_ALLOWLIST = {
	scriptSrc: [
		// Google Tag Manager — bootstrap script (gtm.js)
		"https://www.googletagmanager.com",
		// Contentsquare — tag script injected by the GTM Contentsquare template
		// (t.contentsquare.net/uxa/<tagId>.js) + in-app features
		"https://*.contentsquare.net",
		"https://app.contentsquare.com",
	],
	imgSrc: [
		// Google Tag Manager (no-script fallback iframe pings, debug pixels)
		"https://www.googletagmanager.com",
		// Google Analytics 4 — collect endpoint pixel beacons
		"https://www.google-analytics.com",
		"https://*.analytics.google.com",
		// Google Ads / Doubleclick — remarketing + conversion pixels (pre-allowed
		// so Ads ships later via GTM admin without another CSP PR)
		"https://*.g.doubleclick.net",
		"https://www.google.com",
		"https://www.google.co.in",
		// Contentsquare — replay asset pixels
		"https://*.contentsquare.net",
	],
	connectSrc: [
		// Google Analytics 4 — measurement protocol XHR/beacon
		"https://www.google-analytics.com",
		"https://*.analytics.google.com",
		"https://*.google-analytics.com",
		// GA4 cross-domain / engagement-ping endpoint (gtm.js routes some
		// `g/collect` beacons here for ads attribution). Without this CSP
		// blocks every page load with a `Refused to connect to
		// 'https://www.google.com/g/collect'` console error.
		"https://www.google.com",
		"https://www.google.co.in",
		// Google Ads / Doubleclick — conversion linker XHR
		"https://stats.g.doubleclick.net",
		// Contentsquare — session-replay/analytics beacons
		"https://*.contentsquare.net",
		"https://*.contentsquare.com",
	],
	frameSrc: [
		// Google Tag Manager — <noscript> iframe fallback
		"https://www.googletagmanager.com",
		// Google Ads — conversion iframe
		"https://td.doubleclick.net",
	],
} as const;