Content Security Policy
If your site uses a Content Security Policy, you may need to add directives to allow InstantSchema to load or fetch data. The required directives depend on which integration method you use.Quick reference
| Integration | script-src | connect-src |
|---|---|---|
| CDN script | ✅ Required | ✅ Required |
| Inline script | — | ✅ Required |
| GTM | ✅ Required | ✅ Required |
| Next.js SDK | — | — |
| Astro | — | — |
| Nuxt | — | — |
| Custom API | — | — |
CDN script
The CDN integration loads a script fromapp.instantschema.com and then fetches schema data from the same origin.
Add both directives:
Inline script
The inline script makes afetch() call to the API but does not load any external script file.
Add only connect-src:
GTM
GTM loads the InstantSchema CDN script via its own container. You needscript-src for the InstantSchema domain (plus whatever GTM itself requires).
GTM’s own container script (
googletagmanager.com) is separate from InstantSchema. Check GTM’s documentation for the full list of domains their container needs.Strict CSP with nonces
If your policy uses'strict-dynamic' with a per-request nonce, the CDN loader tag needs the nonce attribute:
'strict-dynamic', scripts loaded by a trusted (nonced) script inherit trust automatically — the loader’s internal fetch() call is not a script load, so it still needs an explicit connect-src entry: