Content Security Policy (CSP)¶
If your website uses a Content Security Policy header, you need to allow the Rose widget domains. Without the correct CSP directives, your browser will block the widget from loading or communicating with our API.
Required Domains¶
| Domain | Purpose |
|---|---|
https://cdn.userose.ai |
Widget script and assets |
https://api.userose.ai |
API requests |
Required Directives¶
Add these directives to your Content-Security-Policy header:
| Directive | Value | Reason |
|---|---|---|
script-src |
https://cdn.userose.ai |
Loads the widget JavaScript |
connect-src |
https://api.userose.ai https://cdn.userose.ai |
API calls and asset fetching |
Example¶
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.userose.ai; connect-src 'self' https://api.userose.ai https://cdn.userose.ai
Note
This is a minimal example. Your actual CSP header will likely include other directives for your existing scripts and services. Append the Rose domains to your existing script-src and connect-src lists rather than replacing them.
Verifying¶
After updating your CSP header:
- Open your website in a browser
- Open Developer Tools → Console tab
- If the CSP is still blocking Rose, you will see errors like
Refused to load the scriptorRefused to connectmentioningcdn.userose.aiorapi.userose.ai
For more help, contact your Rose account manager.