Feedback's Content Security Policy

Last updated:

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. If you're running into an issue with your CSP, you might need to make an adjustment to allow full functionality.

This article outlines the minimum required directives to allow Feedback full functionality. If you need to enable CSP for Pendo’s Engage (Insights & Guidance) platform, see the original Content Security Policy (CSP) article.

Minimum Required Directives

Note: Replace all occurrences of foo.example.com below with your hostname. You may include https:// before any hostnames if desired.

Minimum Required CSP Directives For US/Worldwide Non-EU Clients:

Full functionality, including embedding Feedback in the Pendo Resource Center:

connect-src foo.example.com api.feedback.us.pendo.io 
frame-src foo.example.com portal.feedback.us.pendo.io

In addition, while using Visual Design Studio:

script-src 'unsafe-inline' 'unsafe-eval'

If you're using the widget view for visitor access to Feedback:

style-src 'unsafe-inline'

Minimum requirements for Feedback to function:

connect-src foo.example.com api.feedback.us.pendo.io

Minimum Required CSP Directives For EU Clients:

Full functionality, including embedding Feedback in the Pendo Resource Center

connect-src foo.example.com api.feedback.eu.pendo.io 
frame-src foo.example.com portal.feedback.eu.pendo.io

In addition, while using Visual Design Studio:

script-src 'unsafe-inline' 'unsafe-eval'

If you're using the widget view for visitor access to Feedback:

style-src 'unsafe-inline'

Minimum requirements for Feedback to function

connect-src api.feedback.eu.pendo.io 
Was this article helpful?
1 out of 4 found this helpful