TL;DR
A/B testing with strict CSP: Use nonce-based CSP to allow your A/B testing script, avoid tools that use eval(), and handle inline styles with nonces or external stylesheets. ExperimentHQ supports CSP with nonce attributes. Server-side testing bypasses CSP entirely.
CSP Challenges for A/B Testing
Inline scripts blocked
Solution: Use nonce or hash-based CSP
Inline styles blocked
Solution: Use style-src nonce or external stylesheets
eval() blocked
Solution: Avoid tools that use eval or Function constructor
Third-party scripts
Solution: Whitelist CDN domains in script-src
Nonce-Based Implementation
// Server-side: Generate nonce
const nonce = crypto.randomBytes(16).toString('base64')
// Set CSP header
res.setHeader(
'Content-Security-Policy',
`script-src 'nonce-${nonce}' https://cdn.experimenthq.io`
)
// Add script with nonce
<script nonce="${nonce}" src="https://cdn.experimenthq.io/snippet.js"></script>Tool CSP Support
CSP-Friendly
- • ExperimentHQ (nonce support)
- • Statsig (no inline scripts)
- • LaunchDarkly (SDK-based)
CSP Challenges
- • VWO (uses inline scripts)
- • Optimizely (uses inline scripts)
- • Most visual editors
CSP-Compliant Testing
ExperimentHQ supports nonce-based CSP. Contact us for implementation guidance.