Fixing WalkMe with CSP (Content Security Policy)

WalkMe is a tool with many uses including guiding staff through adoption of new online platforms. You can add it to a web application by adding the snippet described in the official documentation.

If you have Content Security Policy (CSP) enabled, which you should, there is one additional step which you must follow before everything will start working.

The safest way, without compromising too much on security, is to update your Content-Security-Policy meta tag to whitelist the WalkMe Content Distribution Network (CDN) and tracking domain. An example illustrating this can be found below:

<meta http-equiv="Content-Security-Policy" content="
  connect-src 'self' https://cdn.walkme.com https://ec.walkme.com;
  script-src 'self' 'unsafe-eval' https://cdn.walkme.com https://ec.walkme.com;
  font-src 'self' https://cdn.walkme.com;
  style-src 'self' https://cdn.walkme.com;
  image-src 'self' https://cdn.walkme.com https://*.walkmeusercontent.com;
">

If you already have some of these set in the meta tags, you can just add the walkme domains to the end. Make sure that you include self in single quotes and end each line with a semicolon to avoid any errors.

Note that adding unsafe-eval will remove some of the security protections that Content Security Policy provides (the word “unsafe” is there to discourage you from using it). This is unfortunately a necessary evil due to the way in which WalkMe has been implemented. If you don’t add it WalkMe will not work.