Content Security Policy

Some applications enforce content security policies (CSP). You have to add exceptions for Product Fruits domains or the domains of any 3rd party integration you might use. A typical example is videos on tour cards. Based on the video provider you use, you might want to enable also their domains. 

For Product Fruits domains, use these CSPs:

script-src 'unsafe-inline' https://*; 
connect-src https://* wss://*;
style-src 'unsafe-inline' https://*; 
img-src data: https://*;
frame-src https://*;
media-src blob:;

If you use our integrations with Giphy, Tenor, Typeform, you must also properly create CSP exceptions for the necessary domains.


Script-src 'unsafe-inline' is needed when installing Product Fruits using the <script> tag (other platforms installation), or if you'd like to use the custom javascript trigger (due to the use of the javascript eval() function). It's not needed when installing Product Fruits via our NPM packages.

To avoid using the style-src 'unsafe inline', we can enable an alternative feature for your account that uses a newer browser api to render css natively instead of injecting it directly. If interested, please message us in our live chat or message us at