Using PX with Content Security Policy (CSP)

Updated 1 week ago by Angelo Matheou

Does your product use a Content Security Policy (CSP) in your code base? This document defines the steps to take to allow Gainsight PX functionality with your CSP.

Some web products include a Content-Security-Policy HTTP header in the web application, this helps detect & mitigate certain types of attacks such as XSS and code or data injection by instructing the browser to only execute or render resources from trusted sources. The CSP allows you to create a whitelist of sources of trusted content.

If your web application uses a Content Security Policy (CSP) in HTTP headers or a <META> tag, you must update it to allow Gainsight PX functionality, otherwise you may see an error like this in your Google Developer Tools or Firefox Developer Tools.

Refused to execute aptrinsic.com because it violates the following Content Security Policy directive...

Modify your CSP

In order to take advantage of PX's tracking and engagement experiences, your web application's Content Security Policy (CSP) must include the following directives:


script-src *.aptrinsic.com; style-src *.aptrinsic.com 'unsafe-inline'; img-src *.aptrinsic.com storage.googleapis.com; connect-src *.aptrinsic.com;

 NOTE: If your website already has a CSP, simply add the above to your existing directives.


How did we do?