What does Network Status "blocked: CSP" mean?
If the browser network panel shows Blocked: CSP, it means the browser prevented a resource from loading because it violates the website’s Content Security Policy (CSP). CSP is a security mechanism that lets website owners define which sources are allowed to load scripts, images, stylesheets, and other content.
For Fraud0, this usually means the website is trying to load the Fraud0 script from https://api.fraud0.com, but the site’s current CSP does not allow that domain in script-src. When that happens, the browser blocks the script and the Fraud0 tag cannot run.
To resolve this, the site’s CSP must explicitly allow the Fraud0 host. For the on-site tag, end users usually only need to allow:
script-srcfor the host serving the Fraud0 script, typicallyhttps://api.fraud0.comconnect-srcfor Fraud0 event and telemetry POST requests, typicallyhttps://api.fraud0.comimg-srcfor fallback image-based event delivery and error reporting tohttps://api.fraud0.comframe-src 'self'to avoid breaking same-origin/about:blank iframe-based probes used by some collectors
This error may not appear on websites with a much more permissive catch-all CSP that broadly allows many sources by default, but those policies are less secure. The recommended approach is to keep the CSP explicit and only allow trusted sources such as https://api.fraud0.com.
Recommended baseline policy for the on-site tag
Section titled “Recommended baseline policy for the on-site tag”Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; script-src 'self' https://api.fraud0.com; connect-src 'self' https://api.fraud0.com; img-src 'self' data: https://api.fraud0.com; frame-src 'self';Please note: https://bt.fraud0.com is our old tracking domain and is deprecated, any references can be replaced with https://api.fraud0.com.