Setting up Content Security Policy (CSP) Directives

Allowing Content Security Policy (CSP) enables third-party tags like Google Analytics, Facebook ads, AdWords, or Bing to load in your Blend environment.

• Setting up a CSP Directive in the Setup panel
• Troubleshooting CSP Errors

Note: Blend does not allow the loading of analytics scripts that provide heat mapping or screen recording due to Privacy Policies. Blend prohibits the loading of scripts for polls, surveys, or chat functionality.

Setting up a CSP Directive in the Setup panel

Select the Content Security Policy (CSP) Directives tab within Analytics. If you are planning on triggering/loading 3rd-party image pixels, scripts, connections, or styles, you must allow the URLs according to the most appropriate source. Without this allowlist, any 3rd party loading will not work correctly.

1. Log in to Blend.
2. Navigate to Your settings > Setup.
3. Select Analytics from the left-side menu.
4. Click the CSP Directives tab.
5. Click Edit to open up the fields for editing.
6. Add the required URLs.
7. Click Save when finished to apply changes.
   

Note: Please include the full domain path if needed, but do not enter any URL parameters

• Valid: https://www.google-analytics.com/j/collect
• Invalid: https://www.google-analytics.com/j/collect?id=12345  

This configuration must first be performed in Beta and then tested before proceeding with the Production implementation. Blend strongly recommends that the Beta testing portion is not circumvented. Otherwise, potential issues may be introduced into the production environment which may impact both application and reporting performance.

Troubleshooting CSP Errors

1. Go to the Blend Borrower application in Chrome
2. Open Developer Tools (F12 Key by default)
3. Once Developer Tools loads, go to the Console tab and click on “errors”
4. Once in the errors section, click on each error and and look for a CSP exception error - you will see something similar to below
   1. Look for "Refused to load the script <script> because it violates the following Content Security Policy directive" - the message tells you which script was blocked and which CSP directives (script-src, unsafe-inline) needs to be updated in Blend
5. Go to your Blend Lender application > Your Settings > Setup > Analytics > CSP Directives and add a new CSP exception by copying and pasting each URL into the appropriate CSP directive type (image-src, connect-src, frame-src, script-src)
   1. Using the example below, you would create a script-src exception for https://nexus-test.ensighten.com 

Sample CSP Error

Refused to load the script 'https://nexus-test.ensighten.com/blend-sandbox/dev/Bootstrap.js' because it violates the following Content Security Policy directive: "script-src"
https://www.google.com https://www.google-analytics.com https://www.google-analytics.com/j/collect https://www.googletagmanager.com 'unsafe-inline' https://www.google-analytics.com https://nexus.ensighten.com https://metrics.usbank.com https://smetrics.usbank.com https://fls.doubleclick.net https://*.c3tag.com http://www.google-analytics.com https://www.googletagmanager.com *.doubleclick.net https://tagmanager.google.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.