The Skippership tracking script can be added to your website without compromising content security, in full compliance with the Content Security Policy (CSP) directives. You can read more about CSP on Mozilla’s Developer Guide.
How to Use Skippership with CSP
For Skippership to work correctly with your CSP directives, make sure you do the following:
-
Add the following domain to your script-src and connect-src directive:
https://*.skippership.com -
Add a nonce or a hash of the Skippership inline script (the one you embed on your site) to the script-src directive.
Important: Always include the *. prefix when whitelisting Skippership domain (for example, https://*.skippership.com), as we operate multiple instances for performance and redundancy. Whitelisting only specific subdomains may still cause CSP-related issues for some visitors.
Example CSP Configuration
Here’s an example CSP header for a website that only loads scripts and makes requests from its own domain, plus the addition of the Skippership tracking script:
Content-Security-Policy: default-src 'self'; script-src 'self' https://*.skippership.com 'nonce-randomlyGeneratedBase64Nonce'; connect-src 'self' https://*.skippership.com;
And on the page itself, your script would look something like this:
<script nonce="randomlyGeneratedBase64Nonce">
// Your Skippership tracking script here
</script>
Notes on Security
We strongly recommend not using 'unsafe-inline' in any directive. Doing so can weaken your CSP and make your site vulnerable to cross-site scripting (XSS) and other attacks.
For more details about using nonces and script content hashes, visit Mozilla’s documentation on CSP: script-src.