Content Security Policy (CSP) Requirements for Digioh

To ensure that Digioh’s on-site widgets (pop-ups, sidebars, inlines, banners, quizzes, etc.) function properly on a website with a Content Security Policy (CSP) in place, certain domains and directives must be explicitly allowed. This document outlines the required CSP entries and optional ones depending on integration and tracking needs.

Overview

Digioh widgets rely on external scripts, assets, fonts, and API endpoints. Restrictive CSP settings can prevent these resources from loading, breaking functionality or blocking analytics, forms, and UI features. Use this document to configure your CSP headers for optimal compatibility.

DevTools Console CSP Error Example

If you are not allowing these scripts, widgets will not load properly, and you will see errors like these:

Refused to connect to 'https://api.digioh.com' because it violates the following Content Security Policy directive...

Recommended CSP Directives for Digioh

Add the following directives to your site’s CSP configuration:

script-src

Allow Digioh scripts and supporting libraries:

https://cdn.digioh.com https://scripts.digioh.com https://lightboxcdn.digioh.com https://www.google-analytics.com https://www.googletagmanager.com

⚠️ Add 'unsafe-inline' only if necessary, such as when using inline event handlers or legacy support for custom JavaScript.

connect-src

For API and integration traffic:

https://api.digioh.com https://jsapi.azurewebsites.net https://www.google-analytics.com https://analytics.digioh.com https://*.your-ESP-domain.com

Replace your-ESP-domain.com with platforms like *.klaviyo.com, *.iterable.com, or *.braze.com.

img-src

Images and tracking pixels:

https://cdn.digioh.com https://*.google-analytics.com https://*.doubleclick.net data:

frame-src or child-src

For embedded Digioh iframes:

https://digioh.com https://*.digioh.com

style-src

To load Digioh widget styles:

https://cdn.digioh.com https://fonts.googleapis.com 'unsafe-inline'

Inline styles are used in some Digioh layout customizations, so 'unsafe-inline' may be required unless you’ve converted all styles to external stylesheets.

font-src

For custom fonts:

https://fonts.gstatic.com

Optional: Based on Marketing Tools

If using these platforms, consider adding:

Facebook / Meta Pixel:

https://www.facebook.com https://connect.facebook.net

Google Ads & Conversions:

https://www.googleadservices.com https://pagead2.googlesyndication.com

Additional Notes

  • Extension support: Several Digioh extensions (e.g., GTM Campaign Events, Form Data Sync) interact with external platforms—confirm their needs as well. For example, our internationalization extension may use external Google Sheets spreadsheets, so you also need to authorize its domain.


Need Help?

Contact Digioh Support at support@digioh.com or your dedicated Account Manager to review your CSP policy against your integration setup.

Want to get more from Digioh?

Get the playbooks leading brands use to convert more visitors into revenue.

Browse the Playbooks ?

Platform Tour

See what else you can do with Digioh in our self-guided platform tour.

Take the Tour ?

Still Need Help?

Connect with our team for technical help.

Message Support