Twitter Widgets & SDKs

CSP for Twitter Widgets & SDKs

Social Media
marketing
Add Package to Your CSP

Using Twitter Widgets & SDKs with Content Security Policy

The CSP settings for Twitter's Connect, Widgets, and other client side SDKs are defined here. Note that there is an additional RapidSec package, if you are also doing twitter advertising.

Allow these directives in your CSP, to support Twitter Widgets & SDKs in your Content Security Policy:

script-src
  https://platform.twitter.com
  https://analytics.twitter.com
  https://en.twitter.com
  https://cdn.syndication.twimg.com;
style-src
  'unsafe-inline'
  ton.twimg.com
  platform.twitter.com;
frame-src
  *.twitter.com;
img-src
  blob:
  t.co
  *.twitter.com
  *.twimg.com;
font-src
  data:;
connect-src
  t.co
  *.twitter.com
  *.twimg.com;
form-action
  *.twitter.com;
media-src
  *.twimg.com;

The main domains used by Twitter Widgets & SDKs are:

twimg.com
twitter.com

Example Content-Security-Policy violations / reports:

Using the above CSP package, will fix these errors that you may be seeing in your console logs:

script-src/script-src-elem/script-src-attrviolations

Refused to load the script 'https://platform.twitter.com/widgets.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

script-src/script-src-elem/script-src-attrviolations

Refused to load the script 'https://platform.twitter.com/widgets.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

script-src/script-src-elem/script-src-attrviolations

Refused to load the script 'https://platform.twitter.com/widgets.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

style-src/style-src-elem/style-src-attrviolations

Refused to load the stylesheet 'https://ton.twimg.com/tfw/css/*.css' because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

style-src/style-src-elem/style-src-attrviolations

Refused to load the stylesheet 'https://ton.twimg.com/tfw/css/*.css' because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

font-srcviolations

Refused to load the font 'twimg.com' because it violates the following Content Security Policy directive: "font-src 'self'"

img-srcviolations

Refused to load the image 'twimg.com' because it violates the following Content Security Policy directive: "img-src 'self'".

frame-srcviolations

[Report Only] Refused to frame 'twimg.com' because it violates the following Content Security Policy directive: "frame-src 'self'".

form-actionviolations

[Report Only] Refused to send form data to 'twimg.com' because it violates the following Content Security Policy directive: "form-action 'self'".

connect-srcviolations

[Report Only] Refused to connect to 'twimg.com' because it violates the following Content Security Policy directive: "connect-src 'self'"