Browser monitor issues with Content Security Policy
Content Security Policy (CSP) is a security layer that assists in detecting and mitigating specific types of attacks, such as Cross Site Scripting (XSS) and data-injection attacks.
Unfortunately, the applied CSP settings are likely to prevent the browser from sending monitoring data to the Dynatrace server.
If you use custom JavaScript events, you can avoid this by using script-src unsafe-eval
.
In other cases, the page must be modified to allow connections relative to the URL. The following are example scenarios:
Example 1
CSP settings specified by using the <meta>
tag are likely to prevent the browser from sending monitoring data to Dynatrace Server.
To resolve this issue, you can either set up a CSP HTTP header by replacing any existing CSP <meta>
tag or add your environment URL to CSP, as shown in the following example:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' https://{your environment id}.live.dynatrace.com">
Example 2
A page loaded from http://www.mydomain.com
returns no data in the UI because the CSP settings specify connect-src https://
.
In such a case, you can try either of the following:
- Add
http://
toconnect-src
. - Switch the test to load
https://www.mydomain.com
instead ofhttp://www.mydomain.com
.
Example 3
A page loaded from http://mydomain.com
returns no data in the UI because the CSP rules specify connect-src http://*.mydomain.com
.
In this case, add http://
to connect-src
.