Can I use 'unsafe-inline' to make this go away?

Technically yes, but that defeats most of CSP. Allowlisting the Admaxxer domain is safer and more auditable.

Why do I also need img-src?

The pixel falls back to a 1x1 beacon image on page unload in some browsers where sendBeacon is flaky. Without img-src the unload events are lost.

Does the fix apply if my CSP is in a meta tag?

Yes, but HTTP headers take precedence when both are present. If a header CSP still blocks, editing the meta tag alone will not help.

CSP blocking admaxxer script.js

CSP Blocking admaxxer script.js

4 min read • install

Admaxxer is a DTC analytics platform with built-in Meta + Google ad ops. A strict Content Security Policy will block the Admaxxer pixel if you have not allowlisted the script host and the beacon endpoint, which silently kills every event. TL;DR: add the Admaxxer domain to your `script-src`, `connect-src`, and `img-src` directives; reload the page and confirm the browser console has no CSP violations. ## Symptoms - The Admaxxer realtime pane shows no visitors even though the site has traffic. - Browser DevTools -> Console prints errors like `Refused to load the script 'https://admaxxer.com/script.js' because it violates the following Content Security Policy directive: "script-src 'self'"`. - DevTools -> Network shows `admaxxer/script.js` as blocked (red) or 0 bytes. - The pixel initializer `window.admaxxer` is undefined on `window`. - Ecommerce events like `purchase` never appear in Admaxxer, but server webhook revenue still arrives. ## Root cause Modern sites ship a CSP header (either from the server or a `` tag) that restricts where scripts, XHR/fetch, images, and beacons can go. The Admaxxer pixel has three networked paths: 1. The `