Required content security policy

I can’t find a list of directives that need to be added to my content security policy to use sentry.io with raven.js. So far I’ve only got https://cdn.ravejs.com, but is there anything else that’s required for full operation of Sentry?

For example, both Fullstory and Intercom provide a list of the required directives:


https://www.intercom.com/help/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy

Hi @ndench, you will need to add script-src: https://cdn.ravenjs.com (or wherever you’re loading the script from) and the domain present in your configured DSN (connect-src: https://sentry.io).

PR here: https://github.com/getsentry/sentry-javascript/pull/1476

1 Like

That’s perfect, thanks!

Hey @untitaker

Just as a followup:

Is it safe to whitelist the whole of sentry.io? Would it make more sense to whitelist each project url instead? Would it be possible for someone to hijack a client, update their sentry reporting endpoint to their own, and then receive error data, which could possibly contain sensitive user data?

I’m also not sure if the above PR docs exist anywhere currently.
I Googled a string from the PR and couldn’t see any good results.

Thanks,
Finlay