| CSP Directive | Value to Add | Why |
|---|
script-src | https://cdn.fitmyvehicle.com.au | Loads the fmv.js embed script |
frame-src | https://cdn.fitmyvehicle.com.au | Widget opens as an iframe from the CDN |
connect-src | Not needed | All API calls happen inside the iframe, not on your page |
style-src | Not needed | The script uses element.style.cssText (DOM manipulation, not a <style> tag) — no CSP style directive changes needed |
Minimal CSP addition
script-src https://cdn.fitmyvehicle.com.au;
frame-src https://cdn.fitmyvehicle.com.au;
CSP is the #1 cause of “Builder won’t open.” If your site has a strict CSP and you haven’t whitelisted the FMV domains, the browser will silently block the script or iframe. Check your browser console (F12) for CSP violation errors.
How to check if you have a CSP
Open your browser’s developer tools (F12), go to the Network tab, reload the page, click on the main document request, and look for a Content-Security-Policy response header. If there isn’t one, you don’t need to do anything here.
Not sure if this applies?
Most small-to-medium business websites don’t have a CSP. If the Builder opens fine after installation, you can skip this page entirely.
These common security headers do not need any changes for the FMV widget:
| Header | Impact |
|---|
X-Frame-Options | Controls whether your page can be iframed by others. Does not affect your ability to iframe the FMV widget. No changes needed. |
Permissions-Policy | The widget does not use geolocation, camera, microphone, or any restricted browser APIs. No changes needed. |
Referrer-Policy | The widget does not rely on referrer headers from your page. No changes needed. |
