Browser monitor issues with Content Security Policy

Content Security Policy (CSP) is a security layer that assists in detecting and mitigating specific types of attacks, such as Cross Site Scripting (XSS) and data-injection attacks.

Unfortunately, the applied CSP settings are likely to prevent the browser from sending monitoring data to the Dynatrace Server.

As a first and preferred method to have Chrome bypass the CSP of any monitored pages in your single-URL browser monitor or browser clickpath, enable the Bypass Content Security Policy (CSP) of monitored page option in monitor settings. You can do this in Additional options when creating a browser monitor or in Advanced setup in monitor settings in edit mode.

CSP bypass

If you're unable to use this option for some reason, refer to the alternative solutions for bypassing CSP below.

Advanced methods to bypass CSP

Your CSP rules, such as the following, prevent Dynatrace from sending requests to a path relative to the page URL:
"Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'"

If you use custom JavaScript events, you may see the following JavaScript error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed. To avoid this, your page needs to allow script-src unsafe-eval.

In other cases, you must modify the page to allow connections relative to the URL. The following are example scenarios:

Example 1

CSP settings specified by using the <meta> tag are likely to prevent the browser from sending monitoring data to Dynatrace Server.

To resolve this issue, you can either set up a CSP HTTP header by replacing any existing CSP <meta> tag or add your environment URL to CSP, as shown in the following example:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' https://{your environment id}.live.dynatrace.com">

Example 2

A page loaded from http://www.mydomain.com returns no data in the UI because the CSP settings specify connect-src https://.

In such a case, you can try either of the following:

Add http:// to connect-src.
Switch the test to load https://www.mydomain.com instead of http://www.mydomain.com.

Example 3

A page loaded from http://mydomain.com returns no data in the UI because the CSP rules specify connect-src http://*.mydomain.com.

In this case, add http:// to connect-src.