Understanding: Content Security Policies
A Content Security Policy (CSP) is a browser-enforced security layer that restricts where resources can be loaded from.
Note: This is a technical guide. You may need to work with your development team or hosting provider to update your CSP configuration, as it is typically managed at the server or application level.
Why is this required?
Grow campaigns load external resources which, if not explicitly allowed in your CSP, will be blocked. This may result in
-
Campaigns not rendering
-
Missing styles or broken layouts
-
Features not functioning correctly
-
Domains to allowlist
If your company is implementing Content Security Policy on the site where you are embedding a Grow experience, you will need to allowlist the following domains:
default-src 'none';
script-src-elem https://*.wayin.com;
frame-src https://*.wayin.com;
script-src 'unsafe-inline' 'unsafe-eval';
style-src https://*.wayin.com 'unsafe-inline';
connect-src https://*.wayin.com;
These domains are used to deliver campaign assets and services across different regions and environments.
Update your CSP
CSP rules are typically defined via an HTTP response header most commonly called Content-Security-Policy, or via meta tags in the html. The policy consists of one or more directives, each controlling a specific type of resource such as scripts, styles, images, or network requests.
To update a CSP, you must modify the policy defined in your server or application configuration.
On any page where Grow campaigns are embedded, you will need to update your CSP to include the required domains:
default-src 'self' https://*.wayin.com
https://*.eu.experiences.engageplatform.com
https://*.us.experiences.engageplatform.com
https://fonts.googleapis.com;
Note: Because CSP directly affects how content is loaded, changes should be tested carefully to avoid breaking any functionality.
