Skip to main content

Content Security Policy (CSP)

If your website uses a Content Security Policy, you need to whitelist Told's domains for the SDK to work properly.

Domains to allow

DomainPurposeCSP directives
https://scripts.told.clubSDK scriptscript-src
https://widget.told.clubSurvey widget (iframe)frame-src, connect-src
https://producttour.told.clubProduct tour (iframe)frame-src, connect-src
https://producttoureditor.told.clubProduct tour editor (iframe)frame-src, connect-src
https://api.told.clubAPI (GraphQL HTTP)connect-src
wss://api.told.clubAPI (GraphQL WebSocket)connect-src
https://app.told.clubDashboard communicationframe-src

Example CSP header

Content-Security-Policy:
  script-src 'self' https://scripts.told.club;
  frame-src 'self' https://widget.told.club https://producttour.told.club https://producttoureditor.told.club https://app.told.club;
  connect-src 'self' https://api.told.club wss://api.told.club https://widget.told.club https://producttour.told.club https://producttoureditor.told.club;

Example CSP meta tag

<meta http-equiv="Content-Security-Policy"
  content="script-src 'self' https://scripts.told.club;
           frame-src 'self' https://widget.told.club https://producttour.told.club https://producttoureditor.told.club https://app.told.club;
           connect-src 'self' https://api.told.club wss://api.told.club https://widget.told.club https://producttour.told.club https://producttoureditor.told.club;">

What happens if a domain is missing

Missing domainSymptom
scripts.told.club in script-srcSDK doesn't load at all
api.told.club in connect-srcSDK loads but can't reach the API — no surveys appear
widget.told.club in frame-srcSurveys don't display (iframe blocked)
producttour.told.club in frame-srcProduct tours don't display
producttoureditor.told.club in frame-srcProduct tour editor doesn't open
wss://api.told.club in connect-srcReal-time features don't work (subscriptions)
warning

CSP violations appear as errors in the browser console, typically starting with "Refused to load..." or "Refused to connect...". Check the console if surveys or product tours don't appear.