Skip to main content
Solved

Klaviyo URLs for CSP

  • November 23, 2021
  • 5 replies
  • 398 views

Forum|alt.badge.img+2

Does Klaviyo have a list of URLs we can include in our site CSP?

 

as per https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

 

Thanks

Best answer by alex.hong

Hey there @Mailing!

 I've checked in with my team and we don't currently have a list like you're requesting, however, all of the resources will originate from klaviyo.com​ and so I believe that your example from the first email of using *.klaviyo.com​ is going to be the best way to accomplish this.

Hope this helped!
Alex​​​​​​​

View original
Did this topic or the replies in the thread help you find an answer to your question?

5 replies

alex.hong
Forum|alt.badge.img+58
  • Klaviyo Alum
  • 1552 replies
  • Answer
  • November 23, 2021

Hey there @Mailing!

 I've checked in with my team and we don't currently have a list like you're requesting, however, all of the resources will originate from klaviyo.com​ and so I believe that your example from the first email of using *.klaviyo.com​ is going to be the best way to accomplish this.

Hope this helped!
Alex​​​​​​​


Forum|alt.badge.img+1

Hi @alex.hong,

I’d like to follow this up with a request for a page in the documentation specifically related to CSP configuration for Klaviyo and any on-site scripts.

There are a number of different assets required to be added to the CSP and simply adding *.klaviyo.com to all directives is not best practice.

Providing the specific directives and the URLs such as here https://developers.google.com/tag-platform/tag-manager/web/csp so that a wildcard doesn’t need adding would be far more useful.

Regards,
David.


alex.hong
Forum|alt.badge.img+58
  • Klaviyo Alum
  • 1552 replies
  • December 6, 2021

Hi there @dgreenwooduktf!
Thank you for your feedback and additional details regarding this manner with Klaviyo and CSPs. I have put your comments into a product request so that our team can get some eyes on this feature. 

Have a good day,

Alex


Forum|alt.badge.img+1
  • Contributor I
  • 1 reply
  • August 31, 2022

You’ll need the following:

connect-src *.klaviyo.com; script-src *.klaviyo.com;

It doesn’t inspire confidence when things like this aren’t documented.

 


Forum|alt.badge.img+1

Hi @alex.hong,

Wanted to get an update on this and also to point out that https://static-tracking.klaviyo.com/onsite/js/datadome.js is making a connection to https://api-js.datadome.co/js/ which also needs documenting.

Has this document been created yet? Searching for information on Klaviyos CSPs just brought me back here again.

Thanks,
David.