article Browser monitors: Issues with Content Security Policy in Troubleshooting

article Browser monitors: Issues with Content Security Policy in Troubleshooting https://community.dynatrace.com/t5/Troubleshooting/Browser-monitors-Issues-with-Content-Security-Policy/ta-p/233048 <P><LI-TOC indent="15" liststyle="disc" maxheadinglevel="2"></LI-TOC></P> <H2> </H2> <H2>Summary</H2> <P><A href="https://dt-url.net/q1e1pkl" target="_blank" rel="noopener">Content Security Policy (CSP)</A> is a security layer that helps detect and mitigate specific types of attacks, such as Cross-Site Scripting (XSS) and data-injection attacks.</P> <P>Unfortunately, the applied CSP settings are likely to prevent the browser from sending monitoring data to the Dynatrace Cluster.</P> <H2>Preferred solution: Monitor settings</H2> <P>As a first and preferred method to bypass the CSP of any monitored pages in your single-URL browser monitor or browser clickpath, enable <STRONG>Bypass Content Security Policy (CSP) of monitored pages</STRONG> in monitor settings. You can do this in <STRONG>Additional options</STRONG> when creating a browser monitor or in <STRONG>Advanced setup</STRONG> in monitor settings in edit mode.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bypass CSP in browser monitor settings" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/16537i8129B1525D99CD50/image-size/medium?v=v2&px=400" role="button" title="bypass-csp-browser-monitor.png" alt="bypass-csp-browser-monitor.png" /></span></P> <P>If you're unable to use this option for some reason, refer to the advanced methods for bypassing CSP below.</P> <H2>Advanced methods to bypass CSP</H2> <P>Your CSP rules, such as the following, prevent Dynatrace from sending requests to a path relative to the page URL.</P> <P><CODE>"Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'"</CODE></P> <P>If you use custom JavaScript events, you may see the following JavaScript error.</P> <P><CODE>Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed</CODE>. To avoid this, your page needs to allow <CODE>script-src unsafe-eval</CODE>.</P> <P>In other cases, you must modify the page to allow connections relative to the URL. The following are example scenarios.</P> <H3>Example 1</H3> <P>CSP settings specified by using the <CODE><meta></CODE> tag are likely to prevent the browser from sending monitoring data to Dynatrace Cluster.</P> <P>To resolve this issue, you can either set up a CSP HTTP header by replacing any existing CSP <CODE><meta></CODE> tag or add your environment URL to CSP, as shown below.</P> <P><CODE><meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' https://{your environment id}.live.dynatrace.com"></CODE></P> <H3>Example 2</H3> <P data-unlink="true">A page loaded from <CODE>http://www.mydomain.com</CODE> returns no data in the UI because the CSP settings specify <CODE>connect-src https://</CODE>.</P> <P>In such a case, you can try either of the following.</P> <P class="lia-indent-padding-left-30px">-Add <CODE>http://</CODE> to <CODE>connect-src</CODE>.</P> <P class="lia-indent-padding-left-30px" data-unlink="true">-Switch the test to load <CODE>https://www.mydomain.com</CODE> instead of <CODE>http://www.mydomain.com</CODE>.</P> <H3>Example 3</H3> <P data-unlink="true">A page loaded from <CODE>http://www.mydomain.com</CODE> returns no data in the UI because the CSP rules specify <CODE>connect-src http://*.mydomain.com</CODE>.</P> <P>In this case, add <CODE>http://</CODE> to <CODE>connect-src</CODE>.</P> <P> </P> <H2>What's Next</H2> <P><SPAN>If none of the previous steps resolved the issue, open a chat and provide a link to your Browser Monitor, and the troubleshooting steps you have already completed.</SPAN><BR /><BR /><SPAN>You can find further troubleshooting tips for Synthetic in the </SPAN><A class="" href="https://community.dynatrace.com/t5/Troubleshooting/Synthetic-Troubleshooting-Map/ta-p/250426" target="_blank" rel="noopener">Synthetic Troubleshooting Map</A></P> Tue, 18 Nov 2025 12:52:51 GMT nandini_balakri 2025-11-18T12:52:51Z Browser monitors: Issues with Content Security Policy https://community.dynatrace.com/t5/Troubleshooting/Browser-monitors-Issues-with-Content-Security-Policy/ta-p/233048 <P>Standard and advanced methods for bypassing CSP so your browser monitors can send monitoring data to the Dynatrace Cluster</P> Tue, 18 Nov 2025 12:52:51 GMT https://community.dynatrace.com/t5/Troubleshooting/Browser-monitors-Issues-with-Content-Security-Policy/ta-p/233048 nandini_balakri 2025-11-18T12:52:51Z