We are using clarity on our site that enforces a strict Content Security Policy (CSP).
We have added the *.clarity.ms domain to all the relevant directives (connect, script, font, image).
We continue to get a large amount of csp violations arising from Clarity, sometimes several hundred per session.
Example violation:
font-src: csp_violation: 'data' blocked by 'font-src' directive
font-src: 'data' blocked by 'font-src' directive of the policy ...
at <anonymous> @ https://www.clarity.ms/s/0.7.49/clarity.js:2:19579
This looks like it is trying to load fonts using data, which is not outlined in the Clarity CSP docs. I'm hesitant to add 'data' to our CSP, as this could present some security risk, albeit a small one. At the least, I believe the docs should mention if this is a requirement.
Do you know why these violations would be occurring, in such high number? Do you have any advice on how to make it go away?
Hello,
We are using clarity on our site that enforces a strict Content Security Policy (CSP). We have added the
*.clarity.msdomain to all the relevant directives (connect, script, font, image).We continue to get a large amount of csp violations arising from Clarity, sometimes several hundred per session.
Example violation:
This looks like it is trying to load fonts using data, which is not outlined in the Clarity CSP docs. I'm hesitant to add 'data' to our CSP, as this could present some security risk, albeit a small one. At the least, I believe the docs should mention if this is a requirement.
Do you know why these violations would be occurring, in such high number? Do you have any advice on how to make it go away?