Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. If you're running into an issue with your CSP, you might need to make an adjustment to allow full functionality.
This article outlines the minimum required directives to allow Feedback full functionality. If you need to enable CSP for Pendo’s Engage (Insights & Guidance) platform, see the original Content Security Policy (CSP) article.
Minimum Required Directives
foo.example.com
below with your hostname. You may include https://
before any hostnames if desired.Minimum Required CSP Directives For US/Worldwide Non-EU Clients:
Full functionality, including embedding Feedback in the Pendo Resource Center:
connect-src foo.example.com api.feedback.us.pendo.io
frame-src foo.example.com portal.feedback.us.pendo.io
In addition, while using Visual Design Studio:
script-src 'unsafe-inline' 'unsafe-eval'
If you're using the widget view for visitor access to Feedback:
style-src 'unsafe-inline'
Minimum requirements for Feedback to function:
connect-src foo.example.com api.feedback.us.pendo.io
Minimum Required CSP Directives For EU Clients:
Full functionality, including embedding Feedback in the Pendo Resource Center
connect-src foo.example.com api.feedback.eu.pendo.io
frame-src foo.example.com portal.feedback.eu.pendo.io
In addition, while using Visual Design Studio:
script-src 'unsafe-inline' 'unsafe-eval'
If you're using the widget view for visitor access to Feedback:
style-src 'unsafe-inline'
Minimum requirements for Feedback to function
connect-src api.feedback.eu.pendo.io