Content Security Policy
If your site enforces a Content Security Policy (CSP), you need to allow the DataGrail consent script and its network requests in your policy headers. Without the correct directives, browsers will block the script from loading or connecting to DataGrail services.
Required CSP Directives
Add the following directives to your Content Security Policy header to allow the consent script to load and operate:
script-src 'unsafe-inline' https://api.consentjs.datagrail.io;
connect-src 'self' https://api.consentjs.datagrail.io;
| Directive | Value | Purpose |
|---|---|---|
script-src | 'unsafe-inline' https://api.consentjs.datagrail.io | Allows the consent loader script to execute and permits inline script execution |
connect-src | 'self' https://api.consentjs.datagrail.io | Allows the consent script to fetch configuration and consent data from DataGrail |
These directives should be merged with your existing CSP values, not replace them. If you already have a script-src directive, append the DataGrail values to it.
Avoiding 'unsafe-inline'
The 'unsafe-inline' directive broadly permits all inline scripts on your page, which many security teams prefer to avoid. You can eliminate this requirement by enabling Subresource Integrity (SRI) on your consent container.
With SRI enabled, the consent script tag includes an integrity attribute that cryptographically verifies the script contents. This allows you to replace 'unsafe-inline' with a more targeted policy:
script-src https://api.consentjs.datagrail.io;
connect-src 'self' https://api.consentjs.datagrail.io;
Because the browser can verify the script's integrity hash, it no longer needs 'unsafe-inline' to trust the script.
To enable SRI on your container, follow the steps in the Subresource Integrity (SRI) section of the Embedded Deployment guide.
Troubleshooting
The consent banner does not appear and the browser console shows a CSP violation
Check your browser's developer console for errors like Refused to load the script or Refused to connect. These indicate that your CSP is blocking either the script source or the network connection. Verify that both the script-src and connect-src directives include the DataGrail domains listed above.
The banner loads but consent preferences are not saved
This typically means the connect-src directive is missing or incomplete. The consent script needs to communicate with https://api.consentjs.datagrail.io to save preferences. Ensure your connect-src includes both 'self' and https://api.consentjs.datagrail.io.
CSP reports show violations from the consent script after enabling SRI
If you have enabled SRI and removed 'unsafe-inline', make sure you have published the container and replaced the script tag on your site with the updated version that includes the integrity and crossorigin attributes. Without these attributes, the browser cannot verify the script and may still require 'unsafe-inline'.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.