What is Content Security Protocol?

In the simplest terms, a Content Security Protocol (CSP) is an HTTP response header that informs the browser what it is allowed to do. You control various security aspects through the use of directives which are assigned permissions. Using a strict CSP helps you prevent Cross Site Scripting (XSS) attacks from malicious users. This article explains more about CSP and how to apply a Content Security Protocol header to your site.

 

Directives that Cookiebot Supports

Cookiebot supports the following directives (your organization's security protocol requirements might be different):

An example CSP implementation using the directives above in a meta tag would look this:

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; 
    script-src 'nonce-XXXXXXXXXX' 'strict-dynamic'; 
    style-src 'self' 'unsafe-inline'; 
    connect-src 'self' https://consentcdn.cookiebot.com 
    https://consent.cookiebot.com https://consent.cookiebot.eu; 
    frame-src 'self' https://consentcdn.cookiebot.com;
    img-src 'self' http://imgsct.cookiebot.com/
    base-uri 'none'; 
    object-src 'none'"
>

<script
  id="Cookiebot"
  src="https://consent.cookiebot.com/uc.js"
  data-cbid="00000000-0000-0000-0000-000000000000"
  type="text/javascript"
  nonce="XXXXXXXXXX"
></script>

<script
  id="CookieDeclaration"
  src="https://consent.cookiebot.com/00000000-0000-0000-0000-000000000000/cd.js"
  type="text/javascript"
  nonce="XXXXXXXXXX"
  async
></script>

A note on CSP directive fallbacks

If your CSP includes directives like style-src-elem or script-src-elem, be aware that these take precedence over their more general counterparts — style-src and script-src respectively. This is because the browser follows a fallback hierarchy: specific directives override their parent directive, which in turn overrides default-src. Crucially, this means the browser will not fall back to the general directive as long as the specific one is present. For example, any 'unsafe-inline' allowance set under style-src will be ignored for inline styles if style-src-elem is also defined, and similarly, a domain allowance under script-src will not cover <script> tags if script-src-elem is present without that domain explicitly listed.

To ensure Cookiebot loads and operates correctly, check your CSP for any of the following specific directives and verify that Cookiebot's required domains or nonce value are included within them directly:

• style-src-elem — governs <style> blocks and <link rel="stylesheet"> elements
• style-src-attr — governs inline style="" attributes
• script-src-elem — governs <script> tags
• script-src-attr — governs inline event handlers such as onclick

If any of these directives are not needed for your specific security requirements, removing them will allow the browser to fall back to the general style-src or script-src directives, where your existing Cookiebot allowances will then apply.

 

Evaluating Your Content Security Protocol

We have evaluated our support against CSP Version 3 using Google's CSP Evaluator. Our CSP support provides safe evaluation for all the directives indicated above. This support will be validated for each change we make.

Limitations

Cookiebot’s CSP support is not fully compatible with Automatic Cookie Blocking. If your site contains script tags without a src attribute, we cannot determine the policy to apply to the element and the script will run regardless of the CSP applied. Please fully test your site for functionality before trying to use Automatic Cookie Blocking with a CSP header.