Hi Atlassian Community, could you advise what is the right way to set-up Content-Security-Policy header? I’m trying to set-up Survicate and HotJar for Application on Forge platform. Scripts are loading, but it seems that the CSP header prevents these libraries from communicating with their servers. E.g. Survicate is trying to fetch JSON from https://respondent.survicate.com/ domain, but it’s still prevented (i assume external.fetch.client
or external.fetch.backend
should allow that). This is how our manifest looks like:
external:
scripts:
(...)
- "https://survey.survicate.com"
- "https://surveys-static.survicate.com"
- "https://*.hotjar.com"
styles:
(...)
- "*.survicate.com"
- "https://*.hotjar.com"
images:
(...)
- "https://surveys-static.survicate.com"
- "https://assets.survicate.com"
- "https://*.hotjar.com"
fonts:
(...)
- "https://surveys-static.survicate.com"
- "https://*.hotjar.com"
fetch:
client:
(...)
- "https://respondent.survicate.com/"
- "https://*.hotjar.com"
- "https://*.hotjar.io"
- "wss://*.hotjar.com"
I also tried duplicate URLs in external.fetch.client
in external.fetch.backend
and set content
property as below.
content:
styles:
- unsafe-inline
scripts:
- unsafe-inline
- unsafe-eval
- unsafe-hashes
Did anyone encounter similar problem?