Question

Refuse to connect to 'https://api2.amplitude.com/2/httpapi' because it violates the following Content Security Policy

  • 11 April 2023
  • 6 replies
  • 480 views

Badge

We recently use Amplitude for tracking the event when users verify their emails. So we add the tracking event method inside the Email Template from Auth0. Those are HTML code and I use fetch to handle the event tracking and it works normally when I run it locally. But when the email is sent to Outlook or Gmail account, I got the error as the image below. 

I wonder if you can do some configurations on your end about it or what should I do? Thanks so much in advance for your help.

I will reply as soon as possible.

 

 


6 replies

Userlevel 5
Badge +8

@toni familyinmusic thanks for the message! I’ve sent this over to the support team to get their eyes on this.

Badge

Hi, do you guys have any updates about it? Thanks so much!

Userlevel 6
Badge +8

Hi @toni familyinmusic ! To help further troubleshoot this, can you share what SDK library and version you are using? Can you also share how you are installing the Amplitude SDK? 

Badge

Hi, I use `HTTP API`  to trigger an event inside a HTML file in “Verification Email(using Link)” inside “Email Template” section from Auth0. If I copy that HTML code and run it locally, I can trigger the event but when it is sent to the Outllook account, the error happens.

Below is the code I implement it.

 

<script>
      document.querySelector('#test1').addEventListener('click', async () => {
      const tokenOptions = {
        method: 'POST',
        url: `https://api2.amplitude.com/2/httpapi`,
        headers: { 
          'content-type': 'application/json'
        },
        data: {
          api_key: "<API_KEY>",
          events: [
            {
              user_id: “c23568ua-8d95-4d92-90bb-c58fdf67cc4f”,
              event_type: "Event A",
            }
          ]
        }
        };
      const res = await axios.request(tokenOptions);
        return res.data.code
          });
    </script> 

Badge

If you have any questions, I will try to reply as soon as possible. Thanks!

 

Userlevel 6
Badge +8

Hi @toni familyinmusic ! 

Thank you for your patience :) I shared the information that you shared with me to the Engineering team. The Engineering team tried reproducing this but couldn’t figure out how to reproduce your situation. 

As such, this looks like a client side issue. From the error it seems like the machine that the script is executed may not have the right permission or it is blocked by the firewall.

We then pulled in a different team member who checked our WAF. He confirmed this is not something we block. We have a handful of sanctioned regions that we have to block, by law, but this doesn’t seem to fall under that. Moreover, our security policy of ELBSecurityPolicy-TLS-1-2-Ext-2018-06 doesn’t necessary imply whatever is happening here at the Content Security Policy settings.

 

Based on the above, we concluded that this error might actually be referring to your content security policy and not ours. It looks like a rule on your servers as we also see an owa.#####.js

 

The Engineering team suggested that you check your server settings or ask your IT admins! 

Reply