Hi Atlassian Community, could you advise what is the right way to set-up Content-Security-Policy header? I’m trying to set-up Survicate and HotJar for Application on Forge platform. Scripts are loading, but it seems that the CSP header prevents these libraries from communicating with their servers. E.g. Survicate is trying to fetch JSON from https://respondent.survicate.com/ domain, but it’s still prevented (i assume external.fetch.client or external.fetch.backend should allow that). This is how our manifest looks like:
external:
scripts:
(...)
- "https://survey.survicate.com"
- "https://surveys-static.survicate.com"
- "https://*.hotjar.com"
styles:
(...)
- "*.survicate.com"
- "https://*.hotjar.com"
images:
(...)
- "https://surveys-static.survicate.com"
- "https://assets.survicate.com"
- "https://*.hotjar.com"
fonts:
(...)
- "https://surveys-static.survicate.com"
- "https://*.hotjar.com"
fetch:
client:
(...)
- "https://respondent.survicate.com/"
- "https://*.hotjar.com"
- "https://*.hotjar.io"
- "wss://*.hotjar.com"
I also tried duplicate URLs in external.fetch.client in external.fetch.backend and set content property as below.
content:
styles:
- unsafe-inline
scripts:
- unsafe-inline
- unsafe-eval
- unsafe-hashes
Did anyone encounter similar problem?