Content Security Policy
A common layer of security used by many websites is a Content Security Policy. These policies help prevent unauthorized access to website visitor data, and can help mitigate certain types of website attacks. If your website employs the use of a CSP, it will be important to whitelist the Lucky Orange tracking script in order for features like recordings, chat, and the heatmap tool to function properly.
Necessary policy additions
Directive | Value |
connect-src | https://*.luckyorange.com https://pubsub.googleapis.com wss://*.visitors.live |
script-src | https://tools.luckyorange.com |
worker-src | blob: |
Note: The blob: directive is used to improve the performance of our code by performing certain actions within a web worker. The googleapis.com directive is used as fallback in the rare event our own data ingestion pipeline is unavailable.
Note: For most sites, the additions in the table above will be enough. However, if you notice live chat, surveys, or announcements that are not being triggered and you aren't able to see live visitors, you may need to add the below additional value to the connect-src directive. You can check for errors in the console of the tracked site or reach out to Lucky Orange support if you are unsure.
wss://realtime.luckyorange.com/mqtt
Last updated