Document CSP headers requirements

[paolodamico]

We received some customer feedback that the toolbar and session recording features didn't work with certain CSP [policies], here are details on the feedback:

From what I can tell, connect-src is required for basic operation, and script-src for other features.

I think this can be very well document in our website

[romansergey]

Sorry for a little issue hijacking here, but could you please clarify the following to a prospective user:

Would PostHog (esp. session recording) work fine without having to add unsafe-eval and unsafe-inline in script-src?

[paolodamico]

Hey @romansergey I believe so, but maybe @macobo has better context on this?

[macobo]

I don't (yet), sorry. Hoping to take a look at this soon.

Do we have any sample sites we know session recording/posthog.js doesn't work on because of this?

[zifeo]

@macobo Can you give an update on the official way to handle CSP with PostHog please?

[rcmarron]

Hey @zifeo, I just added a note about how to get CSP to work with recordings in the recording documentation. Adding the https://app.posthog.com domain to your url list in the directive should be enough to get it working.

I'm going to close this issue, but let me know if you're having troubles getting it to work, and we can figure it out.