Welcome to WalkMe support

Please login in order to continue:

Work flows better with WalkMe
Work flows better with WalkMe.

WalkMe Content Security Policy

Last Updated March 28, 2024

Brief Overview

A Content Security Policy (CSP) is a method of specifying domains from which specific types of content are allowed to be loaded. This is created by the owners of the website, and is only relevant for non-IE/Edge browsers.

CSP is essentially allowlisting your website to avoid content coming from sources outside a policy. This is different from a general allowlisting a customer does to allow access to certain websites within their organization; with CSP, it doesn't matter what organization or from what computer you access a site, if you're in Chrome, Firefox, or Safari, you'll still be hit with the restriction.

This impacts WalkMe because there are sites that have configured a CSP that does not include WalkMe, and therefore it will prevent WalkMe from loading scripts.

 More information about CSP can be found here >> 

To see what a site's CSP is, follow these instructions:

  1. Go to the Network tab
  2. Click the request of the main page (probably the first request)
  3. The CSP will be listed under "content-security-policy" in the Headers tab

Technical Deep Dive

A CSP can specify exactly what sources are allowed for exactly what types of content. 

Some content type examples are:

Javascript → script-src

CSS → style-src

Images → img-src

Default (The default will be used if a type of content is not specified) → default-src 

If a source is not defined in the CSP and there is no default specification, all sources will be allowed for that type.

For WalkMe to load - SaaS

If WalkMe is blocked by your CSP, its files will not load and your content will not appear. To get WalkMe to load on a site with a CSP, WalkMe's domains need to be added to the policy under the right sections.

Directive Source Description and use Example
script-src 'unsafe-inline' *
  1. Defines valid sources of JavaScript (WalkMe lib, WalkMe player)
  2. Loading and rendering dynamic elements on screen
ShoutOuts, WalkMe Menu
style-src 'unsafe-inline' *
  1. Defines valid sources of stylesheets
  2. Using style attributes inside an HTML elements
Smart Walk-Thrus Steps (<div style="...">)
frame-src 'self' * Defines valid sources for loading frames Switch to Steps, iFrame inside a Step
frame-ancestor   * Used to frame resources coming from WalkMe domains Resources in lightbox



* Used for downloading WalkMe font from WalkMe server WalkMe Menu and Widget font



* WalkMe Events collector inserts image (pixel) to catch element “seen” event Images and Resources
connect-src 'self' * Send XMLHttpRequest about WalkMe end-user event Insights, Goals, Tasks, TeachMe, OnBoarding, ActionBot
worker-src blob * Used to send events using a Worker Session Playback
object-src   *   Session Playback
Content Security Policy: script-src 'self' * 'unsafe-inline'; style-src 'self' * 'unsafe-inline'; img-src 'self' * data:; font-src 'self' * data:; connect-src 'self' *; frame-src 'self' * blob:; worker-src 'self' blob: *; 

* addresses

For accounts using the US / Global Data Center:


For accounts using the EU Data Center:


For WalkMe to load - Self Hosted

The CSP directives when the customer is using Self-hosted should be narrowed down depending on the existing configuration since the scripts, style, font, images, and frames are loaded from the origin and not from WalkMe.

Confirming CSP Issues

If WalkMe is not loading in any browser except for IE and Edge, it may be due to your CSP. You can check for CSP errors by opening up the Developer Tools and clicking on the Console tab.  After reloading the page, you may see a "Content Security Policy” error message in the Developer Tool, under the Console tab.

This is when you should reach out to your IT team and ask them to add WalkMe's domains to the relevant sections.

If your CSP meta tag is under your site's HTML head tag, this can also prevent WalkMe from loading. In that situation you should provide the "Content Security Policy” error message you found in the Developer Tool to your IT team so they can resolve the issue.

Was this article helpful?

Thanks for your feedback!

Be part of something bigger.

Engage with peers, ask questions, share ideas

Ask the Community