How Content Security Policies impact your Spotify pixel
What is a Content Security Policy (CSP)?
A CSP is a layer of security added to websites to prevent different types of malicious of attacks, such a XSS (cross site scripting) and Data Injection attacks. The CSP prevents the execution of scripts from domains that are not explicitly allowed.
Do all websites have a CSP?
Not necessarily. For information on your organization's website and whether a CSP is deployed, you should reach out to the respective tech contact within your organization.
What happens to performance tracking if we deployed a CSP?
A CSP can prevent the Spotify pixel from firing and collecting data necessary to complete performance measurement. Though we may see a pixel fire, that pixel fire may provide little to no information about the event that was triggered. Subsequently, Spotify Ad Analytics is unable to attribute those potential conversion events back to a campaign that we are tracking.
How can I tell if a CSP is blocking the Spotify Pixel from firing?
The best way to determine if a CSP is preventing the Spotify Pixel from interacting as intended is to speak directly with your respective tech team. They can advise if a CSP is in place, and whether Spotify's pixel is allowed.
You can also use the inspector tool in your web browser, specifically looking for issues in the console during your navigation (in general or through certain events). These errors may appear similar to these errors below:
How do I prevent the CSP from blocking the Spotify Pixel?
If you are using a CSP, you will need to add the following two lines:
script-src 'unsafe-inline' https://pixel.byspotify.com;
connect-src https://evnt.byspotify.com;