Experience builder CSP security level

In the Security & Privacy section of the experience builder settings is a subsection called Content Security Policy (CSP). The setting "Security Level" needs to be set to "Relaxed CSP: Permit Access to Inline Scripts and Allowed Hosts". This unlocks the ability to set CSPs for Talkative URLs.

Experience Builder Trusted Sites

The following are a list of sites that need to be added to the "Trusted Sites for Scripts" subsection found in the "Security & Privacy" section of the experience builder.

CSP Trusted Sites

These sites need to be added to the org's CSP trusted sites list. This can be found in the settings area of the main org (not in the experience builder). Go to Settings, then in the sidebar menu search box type "CSP Trusted Sites". Click the link in the sidebar to take you to the index page that allows you to create new CSP trusted site entries.

  • EngageUS s3 bucket
  • EngageUS main site:
    • reason: js http communication with engage api
    • url: https://us.engage.app
    • allow: connect-src
    • context: Experience Builder Sites
  • sentry
    • reason: error logging
    • url: https://sentry.io
    • allow: connect-src
    • context: Experience Builder Sites
  • pusher sockjs
  • pusher websocket
    • reason: websockets realtime connection
    • url: wss://ws-us.pusher.com 
    • allow: connect-src

Adding script snippet

In the experience builder settings, go to the "Advanced" section, then click "Edit head markup". Then paste the snippet into the newly opened code editor.