Hotjar is not working

Question

Hotjar is not working

Closed this issue 8 months ago · 4 comments

On hotjar.com - for www.democracylab.org it reports:

There might be an issue with your tracking code. Verify tracking code installation

Then, if you visit democracylab.org and then open the debugger, there are these errors:

modules.cf97ff05ad84a23ed648.js:2 Refused to connect to 'https://vc.hotjar.io/sessions/1097784?s=0.25&r=0.05699358338635219' because it violates the following Content Security Policy directive: "connect-src 'self' https://democracylab-marlok.s3.amazonaws.com *.qiqochat.com qiqocableeu.herokuapp.com *.google-analytics.com *.nr-data.net *.hereapi.com *.hotjar.com https://blog.democracylab.org".

r.ajax @ modules.cf97ff05ad84a23ed648.js:2
modules.cf97ff05ad84a23ed648.js:2 Refused to connect to 'wss://ws.hotjar.com/api/v2/client/ws' because it violates the following Content Security Policy directive: "connect-src 'self' https://democracylab-marlok.s3.amazonaws.com *.qiqochat.com qiqocableeu.herokuapp.com *.google-analytics.com *.nr-data.net *.hereapi.com *.hotjar.com https://blog.democracylab.org".

r @ modules.cf97ff05ad84a23ed648.js:2
modules.cf97ff05ad84a23ed648.js:2 Refused to connect to 'https://content.hotjar.io/?gzip=1' because it violates the following Content Security Policy directive: "connect-src 'self' https://democracylab-marlok.s3.amazonaws.com *.qiqochat.com qiqocableeu.herokuapp.com *.google-analytics.com *.nr-data.net *.hereapi.com *.hotjar.com https://blog.democracylab.org".

r.ajax @ modules.cf97ff05ad84a23ed648.js:2

While *.hotjar.com does appear in several CSP_ parameters in democracylab/settings.py it may be that we need to specify it differently - perhaps including the transport, or the specific host.

Answer 1 · 2023-09-03T20:45:30.000Z

From what I read on the website, It is possible that there is something wrong in the CSP_CONNECT_SRC and we need to fix it
https://github.com/DemocracyLab/CivicTechExchange/blob/master/democracylab/settings.py#L403
From my guess, we can try adding https://.hotjar.com, https://.hotjar.io, and wss://*.hotjar.com in CSP_CONNECT_SRC.

Answer 2 · 2023-09-06T18:53:50.000Z

@marlonkeating When I browse to democraclab.org/companies I get the above errors. When I browse to democracy-lab-dev.herokuapp.com I do not.

Also, when I go to democracy-lab-prod-mirror.herokuapp.com - the other property setup on hotjar, I do get the same two errors as above.

Is there something in the environment of -dev that needs to be set to enable stronger content security checking?

Answer 3 · 2023-11-07T22:14:35.000Z

I found this link to help with the content security policy settings: https://help.hotjar.com/hc/en-us/articles/115011640307-Content-Security-Policies

Answer 4 · 2024-02-15T17:47:41.000Z

Closed by #1068