Content Security Policies

Transcend Consent Manager can optionally generate a Content Security Policy for your site. We construct this policy using current user consent data in combination with your configured data flows.

Content Security Policy (CSP) is a browser feature which can add a layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

CSP can be activated by setting your Unknown Request Policy to Block in the Consent Manager Developer Settings page of your Admin Dashboard.


Your CSP mode can be configured via the airgap.js CSP API. Note that your Unknown Request Policy must be set to Block in order to use a CSP.


Lax mode prevents your visitors from establishing connections to websites that have not been confirmed in your Data Flows. This mode allows for user consent to change without a page refresh.


Strict mode prevents your visitors from establishing connections to websites (and their subdomains) that are not allowed based on user tracking consent. This mode requires a page refresh whenever user tracking consent changes.


No CSP generation. Transcend Consent Manager will still provide protection against most network-based tracking. See our Regulation Roadmap for a list of network interfaces that we do not yet directly regulate without CSP.


Our consent manager connects to the following origins by default. Make sure to add these domains to your existing CSP to ensure that our consent manager can function properly:

  • https://cdn.transcend.io — CDN for Consent Manager resources (required)
  • https://sync.transcend.io — Consent Manager sync coordination endpoint (optional; set data-sync="off" to disable sync or set data-sync-endpoint="…" on your airgap.js script element to configure your own endpoint).
  • https://telemetry.transcend.io — Encountered host telemetry ingestion endpoint (required; set data-telemetry="usage" to reduce telemetry to just usage data essential for billing)