Content Security Policy

If your site sends a Content-Security-Policy header, you need to allowlist the ConsentStack endpoints. Without it, the browser blocks the SDK's network requests and the banner can't load its config, log consent, or render its logo. The script tag itself usually succeeds, which makes this a quiet failure: the SDK appears installed, but nothing actually works.

This page lists the directives the SDK touches, the minimum allowlist for each, and the most common console errors so you can match a symptom to a fix.

What the SDK calls

Once the core script runs it makes three HTTPS requests:

It also fetches the "Powered by" logo from https://cdn.consentstack.io/assets/ and injects a <style> tag with the banner's CSS.

Minimum directives

If your CSP defines any of the following directives, add the listed origins.

connect-src

Required. The SDK can't function without these.

connect-src 'self' https://config.consentstack.io https://origins.consentstack.io;

script-src

Required so the two install tags can execute.

script-src 'self' https://cdn.consentstack.io;

img-src

Required so the banner's "Powered by" logo renders (free plan only). If you're on a paid plan and have removed branding, this is optional.

img-src 'self' https://cdn.consentstack.io;

style-src

The banner CSS is injected as a single <style> tag at init. Dynamically inserted <style> elements count as inline styles under CSP, so you currently need 'unsafe-inline':

style-src 'self' 'unsafe-inline';

Full example

A complete, copy-paste-ready policy for a site whose own assets sit on the same origin:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cdn.consentstack.io;
  connect-src 'self' https://config.consentstack.io https://origins.consentstack.io;
  img-src 'self' data: https://cdn.consentstack.io;
  style-src 'self' 'unsafe-inline';
  font-src 'self';
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

Merge each *-src line with whatever your site already needs (analytics, fonts, embeds, etc.). The directives above only show the ConsentStack-specific entries.

Verifying

Open DevTools, reload the page, and look at the Console and Network tabs.

• Console clean, Network shows 200 for config.consentstack.io and origins.consentstack.io: allowlist is correct.
• Console shows Refused to connect because it violates the document's Content Security Policy: connect-src is missing one of our origins.
• Console shows Refused to load the script: script-src is missing cdn.consentstack.io.
• Console shows Refused to apply inline style: style-src is missing 'unsafe-inline'.

You can also enable data-debug="true" on the core script tag to see exactly which fetches the SDK is attempting. See SDK Installation.

Common errors, decoded

Refused to connect to 'https://config.consentstack.io/...' because it
violates the document's Content Security Policy directive:
"connect-src 'self' ..."

Add https://config.consentstack.io and https://origins.consentstack.io to connect-src. Both are needed: the first is the fast path, the second is the fallback the SDK retries on if KV misses or returns a non-2xx.

Refused to load the script 'https://cdn.consentstack.io/consent.js?...'
because it violates the document's Content Security Policy directive:
"script-src 'self' ..."

Add https://cdn.consentstack.io to script-src. The CDN is where both the stub and core bundles are served from.

Refused to apply inline style because it violates the document's
Content Security Policy directive: "style-src 'self' ..."

Add 'unsafe-inline' to style-src, or scope it to a style-src-elem directive that allows inline. Without this, the banner renders unstyled.

CDN preconnect

The recommended <link rel="preconnect" href="https://cdn.consentstack.io" /> tag is not affected by CSP connect-src; preconnect hints are governed by the network layer, not CSP. You don't need any extra directive for it to work.