1. Home
  2. Set Up WalkMe
  3. Hosting Options
  4. WalkMe Content Security Policy

WalkMe Content Security Policy

Updated on April 30, 2020 Download PDFDownload as PDF
Download PDF

Brief Overview

A Content Security Policy (CSP) is a method of specifying domains from which specific types of content are allowed to be loaded. This is created by the owners of the website, and is only relevant for non-IE/Edge browsers.

CSP is essentially whitelisting your website to avoid content coming from sources outside a policy. This is different from a general whitelisting a customer does to allow access to certain websites within their organization; with CSP, it doesn’t matter what organization/from what computer you access a site, if you’re in Chrome, FF, or Safari, you’ll still be hit with the restriction.

This impacts WalkMe because there are sites that have configured a CSP that does not include WalkMe, and therefore it will prevent WalkMe from loading scripts.

 More information about CSP can be found here >> 

You can see what a site’s CSP is by:

  1. Going to the Network tab
  2. Clicking the request of the main page (probably the first request)
  3. In the Headers tab, it will be listed under Content-Security-Policy

Technical Deep Dive

A CSP can specify exactly what sources are allowed for exactly what types of content. For example, it could say javascript files can only load from *.walkme.com *.salesforce.com (the script-src), images can only load from *.google.com (the img-src), etc

The script-src, img-src, font-src, etc are referred to as directives. default-src is a directive that will be used for any components that are not called out explicitly in the CSP. For example, if there is no font-src directive specified, but they do have a default-src, the font requests will have to pass the rules in the default-src directive.

If WalkMe is blocked by your CSP, its files will not load and your content will not appear. To get WalkMe to load on a site with a CSP, WalkMe’s domains need to be added to the policy under the right sections.

Content-Security-Policy: script-src ‘unsafe-inline’ ‘unsafe-eval’ cdn.walkme.com  ec.walkme.com playerserver.walkme.com d3sbxpiag177w8.cloudfront.net papi.walkme.com;

Confirming CSP Issues

If WalkMe is not loading in any browser except for IE and Edge, it may be due to your CSP. You can check for CSP errors by opening up the Developer Tools and clicking on the Console tab.  After reloading the page, you may see an error message similar to that in the screenshot below. 

This is when you should reach out to your IT team and ask them to add WalkMe’s domains to the relevant sections.

Was this article helpful?

Related Articles