Content Security Policy - Fit My Vehicle

CSP Directive	Value to Add	Why
`script-src`	`https://cdn.fitmyvehicle.com.au`	Loads the fmv.js embed script
`frame-src`	`https://cdn.fitmyvehicle.com.au`	Widget opens as an iframe from the CDN
`connect-src`	Not needed	All API calls happen inside the iframe, not on your page
`style-src`	Not needed	The script uses `element.style.cssText` (DOM manipulation, not a `<style>` tag) — no CSP style directive changes needed

Minimal CSP addition

script-src https://cdn.fitmyvehicle.com.au;
frame-src https://cdn.fitmyvehicle.com.au;

CSP is the #1 cause of “Builder won’t open.” If your site has a strict CSP and you haven’t whitelisted the FMV domains, the browser will silently block the script or iframe. Check your browser console (F12) for CSP violation errors.

How to check if you have a CSP

Open your browser’s developer tools (F12), go to the Network tab, reload the page, click on the main document request, and look for a Content-Security-Policy response header. If there isn’t one, you don’t need to do anything here.

Not sure if this applies?

Most small-to-medium business websites don’t have a CSP. If the Builder opens fine after installation, you can skip this page entirely.

Other security headers

These common security headers do not need any changes for the FMV widget:

Header	Impact
`X-Frame-Options`	Controls whether your page can be iframed by others. Does not affect your ability to iframe the FMV widget. No changes needed.
`Permissions-Policy`	The widget does not use geolocation, camera, microphone, or any restricted browser APIs. No changes needed.
`Referrer-Policy`	The widget does not rely on referrer headers from your page. No changes needed.

Documentation Index

​Minimal CSP addition

​How to check if you have a CSP

​Not sure if this applies?

​Other security headers

Minimal CSP addition

How to check if you have a CSP

Not sure if this applies?

Other security headers