Star us on GitHub


You should keep reading this if your application runs in an environment that enforces content security policies.

Content-Security-Policy allows you to tell the browser what and how your page can interact with third-party scripts.

Here are the policies you'll need to set to use Highlight:


This policy is to allow downloading the Highlight runtime code for session recording and error monitoring.

worker-src: blob:

This policy allows our script to create a web-worker which we use to serialize the recording data without affecting the performance of your application.


This policy is to allow connecting with Highlight servers to send recorded session data.

Your CSP definition may look something like this:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; worker-src: blob:; connect-src;" />