Account Administration
      Back to home
      1. Knowledge Base
      2. Account Administration

      Allow justone.ai Script via Content Security Policy (CSP)

      How to update your CSP so the justone.ai embed script can load

      At a Glance

      Introduction
      Understanding the CSP Block
      Solution: Update CSP Header
      How to Implement


      Introduction

      Your site’s CSP currently blocks the JustOne embed script. This guide explains how to update your policy to permit it, while keeping your site secure.

       

      Understanding the CSP Block

      When loading the JustOne embed script (`https://justone.ai/embed/ju_init.js?v=2`), browsers may block it with an error like:  

      Refused to load the script … violates … “script-src-elem ‘self’ ‘unsafe-inline’”

      This means the script’s domain isn’t in your `script-src-elem` list.

      Solution: Update CSP Header

      The reason your JustOne embed script is being blocked is that your site’s Content Security Policy currently says:

      “Only load scripts from my own domain ('self') or scripts embedded inline ('unsafe-inline').”

      That’s what this part of your CSP means:

      script-src-elem 'self' 'unsafe-inline'

      The browser sees the JustOne script coming from https://justone.ai — a domain that’s not in that list — and blocks it.

      To fix this, you need to explicitly tell the browser that scripts from https://justone.ai are safe to load. You do this by adding that domain to your script-src-elem directive in your CSP.

      Example: Current vs. Updated Polic

      Before (blocks JustOne):

      Content-Security-Policy: script-src-elem 'self' 'unsafe-inline';

      After (allows JustOne):

      Content-Security-Policy: script-src-elem 'self' 'unsafe-inline' https://justone.ai;

      That one extra https://justone.ai at the end is the “permission slip” that tells the browser:

      “It’s okay to load scripts from here too.”

       

      How to Implement

      If you set CSP via HTTP headers (recommended)

      • Add https://justone.ai to the script-src-elem list in your server configuration or CDN security settings.

      If you set CSP via <meta> tags in your HTML

      • Update the content attribute to include https://justone.ai.

      Examples by environment:

      • Nginx

        add_header Content-Security-Policy "script-src-elem 'self' 'unsafe-inline' https://justone.ai";
      • Apache 
        Header set Content-Security-Policy "script-src-elem 'self' 'unsafe-inline' https://justone.ai"
      • Wordpress
        • Adding Code to functions.php
           
          add_action('send_headers', function() {

              header("Content-Security-Policy: script-src-elem 'self' 'unsafe-inline' https://justone.ai");

          });

           

      • Other
        Many hosts also have other means of adding this through their platform settings, please check with your provider about how to allow a the https://justone.ai domain through your CSP.
      • Meta tag fallback (less secure than headers) 
        <meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' 'unsafe-inline' https://justone.ai;">

      💡 Tip:

      If your CSP already contains other allowed domains, just add https://justone.ai to the existing list — don’t remove anything unless you’re sure it’s safe.