Content Security Policy for Microsoft's Clarity

Question

So I want to add Microsoft's Clarity to my website.

My website has a solid Content Security Policy, and my understanding is that it is bad to use unsafe-inline, so I'm not sure I can trust their CSP suggestions.

So I'd like to follow their final suggestion, specifically:

Clarity load balance between multiple environments in production.
If you need to add all individual Clarity domains to your CSP,
you can add
https://www.clarity.ms,
https://c.bing.com, and
https://[a-z].clarity.ms (i.e., a.clarity.ms, b.clarity.ms... z.clarity.ms).

Questions:

• Does CSP allow regexes like https://[a-z].clarity.ms?
• Would https://*.clarity.ms be fully secure, or could it possibly introduce vulnerabilities?

Answer 1

I first tried just adding one domain (i.e. b.clarity.ms), but I found out that didn't work since the load balancing rotation occurred frequently. I also didn't want to risk any vulnerabilities, so I omitted all wildcards.

Here is my current CSP to make Microsoft Clarity work in case anyone else needs this:

default-src 'none';
connect-src https://a.clarity.ms https://b.clarity.ms https://c.clarity.ms https://d.clarity.ms https://e.clarity.ms https://f.clarity.ms https://g.clarity.ms https://h.clarity.ms https://i.clarity.ms https://j.clarity.ms https://k.clarity.ms https://l.clarity.ms https://m.clarity.ms https://n.clarity.ms https://o.clarity.ms https://p.clarity.ms https://q.clarity.ms https://r.clarity.ms https://s.clarity.ms https://t.clarity.ms https://u.clarity.ms https://v.clarity.ms https://w.clarity.ms https://x.clarity.ms https://y.clarity.ms https://z.clarity.ms;
script-src 'self' https://www.clarity.ms;

Note that I did not include https://c.bing.com. This has not caused me any issues yet; I suspect this is because I turned off cookies for Microsoft's Clarity.

I'll update this CSP if anything fails again.