If your site sets a Content-Security-Policy header, you need to allow the Tripwire SDK to load, execute WebAssembly, spawn inline workers, create probe iframes, and communicate with the Tripwire API.
Required directives
script-src
The SDK is loaded as an ESM module from the Tripwire CDN. It also contains an embedded WebAssembly module that requires 'wasm-unsafe-eval' to instantiate.
script-src 'self' https://cdn.tripwirejs.com 'wasm-unsafe-eval';
| Value | Why |
|---|
https://cdn.tripwirejs.com | Loads the SDK bundle (/t.js) |
'wasm-unsafe-eval' | Instantiates the embedded WebAssembly module used for device fingerprinting, behavioral analysis, and environment probing |
Some older browsers require 'wasm-unsafe-eval' while newer ones support the more restrictive 'wasm-eval'. Use 'wasm-unsafe-eval' for broadest compatibility.
connect-src
The SDK sends encrypted observation data and receives scoring results from the Tripwire API. It also opens a WebSocket for network identity cross-validation (VPN/proxy detection).
connect-src 'self' https://api.tripwirejs.com wss://api.tripwirejs.com;
| Value | Why |
|---|
https://api.tripwirejs.com | All collect endpoints: session creation, observation batches, fingerprint freezing, sealed token minting, network checks, and RTT pings |
wss://api.tripwirejs.com | WebSocket connection for VPN/proxy network identity cross-validation |
worker-src
The SDK creates inline Web Workers from blob URLs for cross-thread environment validation and debugger detection.
| Value | Why |
|---|
blob: | Inline workers are constructed via new Blob() + URL.createObjectURL() for runtime integrity checks that must execute in a separate thread |
frame-src
The SDK creates temporary hidden same-origin iframes for realm isolation probes, CSP bypass detection, and font measurement.
| Value | Why |
|---|
'self' | Hidden <iframe> elements are appended to the DOM to obtain a clean JavaScript realm for tamper-resistant API probing |
Full example
A minimal CSP that supports Tripwire alongside your own assets:
default-src 'self';
script-src 'self' https://cdn.tripwirejs.com 'wasm-unsafe-eval';
connect-src 'self' https://api.tripwirejs.com wss://api.tripwirejs.com;
worker-src 'self' blob:;
frame-src 'self';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
object-src 'none';
base-uri 'self';
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self' https://cdn.tripwirejs.com 'wasm-unsafe-eval'; connect-src 'self' https://api.tripwirejs.com wss://api.tripwirejs.com; worker-src 'self' blob:; frame-src 'self';"
/>
Graceful degradation
The SDK is designed to degrade gracefully. If a CSP directive blocks a specific probe (e.g., workers or iframes), the SDK will skip that signal and continue with the remaining detection surface. However, missing signals reduce coverage and may affect verdict confidence. For best results, allow all directives listed above.
What Tripwire does NOT need
| Directive | Why not needed |
|---|
media-src | No audio or video resources are loaded |
font-src (for Tripwire) | Font metrics are measured in-place; no external fonts are fetched |
child-src | Covered by worker-src and frame-src above |
Troubleshooting
Check the browser DevTools console for CSP violation errors. Common failures:
| Error message | Fix |
|---|
Refused to load the script https://cdn.tripwirejs.com/t.js | Add https://cdn.tripwirejs.com to script-src |
| Refused to compile or instantiate WebAssembly module | Add 'wasm-unsafe-eval' to script-src |
Refused to connect to https://api.tripwirejs.com | Add https://api.tripwirejs.com to connect-src |
Refused to create a worker from blob: | Add blob: to worker-src |
| Refused to frame (same-origin iframe blocked) | Add 'self' to frame-src |
If you use a CSP reporting endpoint (report-uri or report-to), deploy in report-only mode first with Content-Security-Policy-Report-Only to catch violations without breaking the page.
