Content Security Policy

Last updated 5 days ago

Content Security Policy

A common layer of security used by many websites is a . These policies help prevent unauthorized access to website visitor data, and can help mitigate certain types of website attacks. If your website employs the use of a CSP, it will be important to whitelist the Lucky Orange tracking script in order for features like recordings, chat, and the heatmap tool to function properly.

Necessary policy additions

Directive

Value

connect-src

https://*.luckyorange.com

https://pubsub.googleapis.com

wss://*.visitors.live

script-src

https://tools.luckyorange.com https://storage.googleapis.com/lucky-orange-public/heatmap2/*

worker-src

blob:

Note: The blob: directive is used to improve the performance of our code by performing certain actions within a web worker. The googleapis.com directive is used as fallback in the rare event our own data ingestion pipeline is unavailable.

Note: The https://storage.googleapis.com/lucky-orange-public/heatmap2/* directive is used by our heatmap tool. You do not need to add this if you do not plan to use our heatmap tool.

Note: For most sites, the additions in the table above will be enough. However, if you notice live chat, surveys, or announcements that are not being triggered and you aren't able to see live visitors, you may need to add the below additional value to the connect-src directive. You can check for errors in the console of the tracked site or reach out to Lucky Orange support if you are unsure.

wss://realtime.luckyorange.com/mqtt

PreviousChat NextCookies & Storage

Last updated 5 days ago