Survicate and HotJar - Content-Security-Policy headers

Hi Atlassian Community, could you advise what is the right way to set-up Content-Security-Policy header? I’m trying to set-up Survicate and HotJar for Application on Forge platform. Scripts are loading, but it seems that the CSP header prevents these libraries from communicating with their servers. E.g. Survicate is trying to fetch JSON from https://respondent.survicate.com/ domain, but it’s still prevented (i assume external.fetch.client or external.fetch.backend should allow that). This is how our manifest looks like:

 external:
    scripts:
      (...)
      - "https://survey.survicate.com"
      - "https://surveys-static.survicate.com"
      - "https://*.hotjar.com"
    styles:
      (...)
      - "*.survicate.com"
      - "https://*.hotjar.com"
    images:
      (...)
      - "https://surveys-static.survicate.com"
      - "https://assets.survicate.com"
      - "https://*.hotjar.com"
    fonts:
      (...)
      - "https://surveys-static.survicate.com"
      - "https://*.hotjar.com"
    fetch:
      client:
        (...)
        - "https://respondent.survicate.com/"
        - "https://*.hotjar.com"
        - "https://*.hotjar.io"
        - "wss://*.hotjar.com"

I also tried duplicate URLs in external.fetch.client in external.fetch.backend and set content property as below.

  content:
    styles:
      - unsafe-inline
    scripts:
      - unsafe-inline
      - unsafe-eval
      - unsafe-hashes

Did anyone encounter similar problem?

4 Likes