Please log in to continue
WalkMe stores your data in the region chosen during account setup.
We have data centers in the US and EU that follow local privacy and compliance laws. If you're not sure which region to select, check with your admin.
A Content Security Policy (CSP) lets website owners specify which domains can load specific types of content. CSP is only relevant for non-IE browsers.
CSP works by allowlisting approved sources for your website, blocking any content from outside the defined policy. This is different from a general allowlist that controls access within an organization. With CSP, the restriction applies regardless of who you are or what computer you use — if you're in Chrome, Firefox, or Safari, the policy applies.
WalkMe is affected when a site's CSP doesn't include WalkMe domains, which prevents WalkMe scripts from loading.
To find out what a site's CSP is:
A CSP defines which sources are allowed for each type of content. Common content types and their directives:
If a source isn't defined in the CSP and there's no default, all sources are allowed for that type.
If WalkMe is blocked by your CSP, its files won't load and your content won't appear. To fix this, add WalkMe's domains to the right directives in your policy.
*.walkme.com Used for loading and rendering dynamic WalkMe content. Examples: ShoutOuts, WalkMe Menu'unsafe-inline' *.walkme.com Used for inline style attributes. Examples: Smart Walk-Thru steps'self' *.walkme.com Used for loading frames. Examples: Switch to Steps, iFrames inside a step*.walkme.com Used to frame resources from WalkMe domains. Example: Resources in a lightbox'self' data: *.walkme.com Used to download WalkMe fonts from WalkMe servers. Example: WalkMe Menu and widget font'self' data: *.walkme.com s3.walkmeusercontent.com eu-s3.walkmeusercontent.com Used by the WalkMe Events collector to insert an image pixel that catches element "seen" events. Examples: Images and resources'self' *.walkme.com Used to send XMLHttpRequests for WalkMe end-user events. Examples: Insights, Goals, Tasks, TeachMe, Onboarding, ActionBotblob: *.walkme.com Used to send events using a worker. Example: Session Playback*.walkme.com Example: Session Playbackscript-src 'self' *.walkme.com 'unsafe-inline'; style-src 'self' *.walkme.com 'unsafe-inline'; img-src 'self' *.walkme.com s3.walkmeusercontent.com d3sbxpiag177w8.cloudfront.net data:; font-src 'self' *.walkme.com data:; connect-src 'self' *.walkme.com; frame-src 'self' *.walkme.com blob:; worker-src 'self' blob: *.walkme.com;
For accounts using the WalkMe US Data Center:
For accounts using the WalkMe EU Data Center:
If you're using a self-hosted setup, narrow down your CSP directives based on your existing configuration. Scripts, styles, fonts, images, and frames load from the origin rather than from WalkMe, so not all directives listed above will apply.
If WalkMe isn't loading in any browser except Edge, your CSP may be blocking it. To check:
If you see one, contact your IT team and ask them to add WalkMe's domains to the relevant directives.
If your CSP meta tag is in your site's HTML <head> tag, this can also block WalkMe from loading. Share the "Content Security Policy" error message from the Console tab with your IT team so they can resolve it.