If the RUM Agent request from the client browser fails due to blocked:csp error as below, you need to enable the content security policy directive in the web server for Real User Monitoring. This page will guide you on it.
What is Content Security Policy (CSP)
Content Security Policy (CSP) is an essential security standard designed to protect web applications from
cross-site scripting (XSS) and other code injection attacks. However, it's important to note that a strict CSP may inadvertently block inline JavaScript and prevent the browser from sending monitoring data to the Real User Monitoring agent.
CSP rules can be set via the <meta> element in the page or the response HTTP header.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self';"/>
How to enable Content Security Policy (CSP) for Real User Monitoring?
CSP rules on a page must be configured in such a way it should allow loading and executing of RUM script. Follow the below steps to enable CSP for RUM:
1. Copy the RUM Agent URL from the script injected in your application
The RUM Agent URL is injected into your application's code. You need to copy this URL to use it in the CSP configuration.
2. Construct the content script policy to allow the copied RUM Agent URL
The content script policy is a string that specifies which sources of content are allowed to be executed within a web page. You need to construct this policy to allow the RUM Agent URL.
Here is an example of a content script policy that allows the RUM Agent URL:
Content-Security-Policy: connect-src 'self' https://your.corp.com:7443; script-src 'unsafe-inline' https://your.corp.com:7443;
3. Restart your application(if required) and check whether the real user monitoring is enabled for the site.
After configuring the CSP, restart your application and check whether RUM is enabled for the site. You can verify this by checking the RUM dashboard.