So I want to add Microsoft's Clarity to my website.
My website has a solid Content Security Policy, and my understanding is that it is bad to use unsafe-inline, so I'm not sure I can trust their CSP suggestions.
So I'd like to follow their final suggestion, specifically:
Clarity load balance between multiple environments in production.
If you need to add all individual Clarity domains to your CSP,
you can add
https://www.clarity.ms,
https://c.bing.com, and
https://[a-z].clarity.ms (i.e., a.clarity.ms, b.clarity.ms... z.clarity.ms).
Questions:
I first tried just adding one domain (i.e. b.clarity.ms), but I found out that didn't work since the load balancing rotation occurred frequently. I also didn't want to risk any vulnerabilities, so I omitted all wildcards.
Here is my current CSP to make Microsoft Clarity work in case anyone else needs this:
default-src 'none';
connect-src https://a.clarity.ms https://b.clarity.ms https://c.clarity.ms https://d.clarity.ms https://e.clarity.ms https://f.clarity.ms https://g.clarity.ms https://h.clarity.ms https://i.clarity.ms https://j.clarity.ms https://k.clarity.ms https://l.clarity.ms https://m.clarity.ms https://n.clarity.ms https://o.clarity.ms https://p.clarity.ms https://q.clarity.ms https://r.clarity.ms https://s.clarity.ms https://t.clarity.ms https://u.clarity.ms https://v.clarity.ms https://w.clarity.ms https://x.clarity.ms https://y.clarity.ms https://z.clarity.ms;
script-src 'self' https://www.clarity.ms;
Note that I did not include https://c.bing.com. This has not caused me any issues yet; I suspect this is because I turned off cookies for Microsoft's Clarity.
I'll update this CSP if anything fails again.