The CSP policy is set by the web server, and ours is quite locked down due to security constraints. I need to add an exception for every host being accessed from our web pages.   I did see that {{Munchkin ID}}.mktoresp.com was being requested, but now also {{Munchkin ID}}.mktoutil.com, neither of which is documented in the official documentation.   Most Javascript APIs these days have a canonical set of CSP rules and I was simply looking for that set. ... View more

Sorry for not being clear! It's Content Security Policy: https://en.wikipedia.org/wiki/Content_Security_Policy Which is a large industry standard to prevent cross-site scripting (XSS). It allows a host to restrict what other hosts can load scripts on that page. So for instance, if you want to load the munchkin script, you would need to add "munchkin.marketo.net" to your "script-src" block of your CSP. It appears that the Munchkin code makes lots of callbacks to other hosts and this doesn't seem to be documented anywhere. ... View more