Osano CSP mistakes that break cookie consent

If you have ever dropped Osano cookie consent onto a site with a strict Content Security Policy and watched the banner silently fail, you already know the pattern: the site works, tracking is blocked, and the consent UI never appears or appears half-broken.

I have seen teams blame Osano, then blame CSP, then add 'unsafe-inline' everywhere and move on. That is usually the wrong fix.

The real problem is that cookie consent tools sit in an awkward place in the page lifecycle. They load early, inject UI, sometimes create inline styles or scripts, may talk to remote APIs, and often sit next to Google Tag Manager or analytics code. CSP catches every one of those assumptions.

Here are the common mistakes I see with Osano cookie consent, and the fixes that actually hold up in production.

Mistake 1: Only allowing the Osano script host

A lot of developers start with script-src and stop there.

Something like this:

Content-Security-Policy: default-src 'self'; script-src 'self' https://cmp.osano.com

Then the banner still breaks.

Why? Because consent platforms rarely need only scripts. They usually need styles, images, XHR/fetch, and sometimes frames. If your policy only allows the script loader, the main JavaScript may arrive but fail later when it tries to fetch config, render assets, or inject the UI.

This is the same pattern you can see in real-world consent setups. A live header from headertest.com includes multiple directives for the consent platform, not just script-src:

content-security-policy: default-src 'self' https://www.googletagmanager.com https://*.cookiebot.com https://*.google-analytics.com; script-src 'self' 'nonce-Y2YxMDk2ODktZTYzMC00YzcxLWIyNGYtOGU2MjJkYjczNDc5' 'strict-dynamic' https://www.googletagmanager.com https://*.cookiebot.com https://*.google-analytics.com; style-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://*.cookiebot.com https://consent.cookiebot.com; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://api.headertest.com https://tallycdn.com https://or.headertest.com wss://or.headertest.com https://*.google-analytics.com https://*.googletagmanager.com https://*.cookiebot.com; frame-src 'self' https://consentcdn.cookiebot.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; object-src 'none'

Different vendor, same lesson: consent tooling touches several directives.

Fix

Build the policy from actual Osano network behavior, not assumptions. Start with:

• script-src
• style-src
• connect-src
• img-src
• frame-src if Osano uses an iframe in your integration
• font-src if their UI loads remote fonts

A practical starting point looks like this:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cmp.osano.com;
  style-src 'self' https://cmp.osano.com;
  img-src 'self' data: https://cmp.osano.com;
  connect-src 'self' https://cmp.osano.com;
  font-src 'self';
  frame-src 'self';
  object-src 'none';
  base-uri 'self';
  form-action 'self';

Then tighten or expand based on actual violation reports and DevTools network logs.

Mistake 2: Forgetting inline bootstrapping code

The Osano install snippet often involves inline JavaScript, or your own code may initialize consent state before your app starts.

If your CSP is strict and you do this:

<script>
  window.cookieconsent.initialise({
    palette: {
      popup: { background: "#000" }
    }
  });
</script>

this will be blocked unless you allow it with a nonce or hash.

The lazy fix is:

script-src 'self' 'unsafe-inline' https://cmp.osano.com

I would avoid that unless you truly have no better option.

Fix

Use a nonce for the inline bootstrap code.

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-r4nd0m123' https://cmp.osano.com;
  style-src 'self' https://cmp.osano.com;
  connect-src 'self' https://cmp.osano.com;
  img-src 'self' data: https://cmp.osano.com;
  object-src 'none';
  base-uri 'self';

And in the HTML:

<script nonce="r4nd0m123" src="https://cmp.osano.com/.../osano.js"></script>
<script nonce="r4nd0m123">
  window.cookieconsent.initialise({
    type: "opt-in"
  });
</script>

If your framework renders the nonce server-side, this is clean and maintainable. If you need examples for nonce-based policies, the ready-made patterns at https://csp-examples.com are useful.

Mistake 3: Breaking the banner with style-src restrictions

This one gets people constantly.

Cookie banners often inject inline styles or manipulate style attributes at runtime. If your CSP says:

style-src 'self'

the script may load, but the UI renders unstyled, invisible, or badly positioned.

The ugly fix is adding 'unsafe-inline' to style-src. Sometimes that is unavoidable with third-party consent tools. The headertest.com example above does exactly that for a consent integration.

Fix

Try these in order:

1. Prefer vendor-hosted stylesheets if Osano supports them.
2. If your implementation injects a small known inline style block, use a hash.
3. If Osano relies on runtime inline styles you cannot control, allow 'unsafe-inline' in style-src and keep the rest of the policy tight.

Example with the pragmatic compromise:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-r4nd0m123' https://cmp.osano.com;
  style-src 'self' 'unsafe-inline' https://cmp.osano.com;
  img-src 'self' data: https://cmp.osano.com;
  connect-src 'self' https://cmp.osano.com;
  object-src 'none';
  base-uri 'self';

I do not love 'unsafe-inline', but I dislike broken consent flows more. If you have to use it, limit the blast radius to style-src, not script-src.

Mistake 4: Blocking consent API calls in connect-src

This is the one that slips past code review because the script tag is present and no obvious CSP error appears until interaction happens.

The banner loads, but:

• preferences do not save
• geolocation or region logic fails
• consent state does not sync
• the UI hangs after clicking Accept

That usually points at connect-src.

Fix

Watch the Network tab while accepting or rejecting cookies. Then allow the exact Osano endpoints involved.

Example:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cmp.osano.com;
  style-src 'self' 'unsafe-inline' https://cmp.osano.com;
  connect-src 'self' https://cmp.osano.com https://consent.osano.com;
  img-src 'self' data: https://cmp.osano.com;
  object-src 'none';

Do not paper over this with connect-src https: unless you enjoy slowly turning CSP into decorative text.

Mistake 5: Using default-src as if it covers everything cleanly

I still see policies like this:

Content-Security-Policy: default-src 'self' https://cmp.osano.com

Technically, yes, unspecified fetch directives can fall back to default-src. Practically, this becomes hard to reason about fast.

Consent platforms are exactly where you want explicit directives, because they often coexist with GTM, analytics, ad tech, and app code. A broad default-src hides what is really allowed.

Fix

Be explicit for the directives Osano needs:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cmp.osano.com;
  style-src 'self' 'unsafe-inline' https://cmp.osano.com;
  connect-src 'self' https://cmp.osano.com;
  img-src 'self' data: https://cmp.osano.com;
  frame-src 'self';
  font-src 'self';
  object-src 'none';
  base-uri 'self';
  form-action 'self';
  frame-ancestors 'none';

This is easier to audit and much easier to debug six months later.

Mistake 6: Forgetting that GTM and Osano affect each other

A lot of Osano deployments are not isolated. They gate Google Tag Manager, Analytics, Meta pixels, and custom tags. So the CSP problem is not just “make Osano load.” It is “make Osano load and then allow the right downstream resources after consent.”

The headertest.com policy is a good real-world reminder here. The consent tool sits alongside GTM and GA allowances in the same policy. That is normal.

Fix

Model the whole consent path:

1. Osano script and UI loads
2. User interacts with banner
3. Consent state is stored or fetched
4. GTM or analytics loads conditionally
5. Any frames, images, or beacons triggered after consent are still covered

That means your final policy often looks more like this:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-r4nd0m123' https://cmp.osano.com https://www.googletagmanager.com;
  style-src 'self' 'unsafe-inline' https://cmp.osano.com;
  img-src 'self' data: https: https://www.googletagmanager.com;
  connect-src 'self' https://cmp.osano.com https://www.google-analytics.com https://region1.google-analytics.com;
  frame-src 'self' https://www.googletagmanager.com;
  font-src 'self';
  object-src 'none';
  base-uri 'self';
  form-action 'self';
  frame-ancestors 'none';

The exact domains depend on your stack, but the point is to test the consent workflow, not just the initial page load.

Mistake 7: Shipping CSP changes without Report-Only first

When teams tighten CSP around a consent banner in production, they often break it for users in specific regions, languages, or routes they did not test.

Consent code tends to be conditional. Region-based behavior is especially good at hiding missing connect-src or frame-src entries.

Fix

Roll changes out in Content-Security-Policy-Report-Only first.

Content-Security-Policy-Report-Only:
  default-src 'self';
  script-src 'self' 'nonce-r4nd0m123' https://cmp.osano.com;
  style-src 'self' 'unsafe-inline' https://cmp.osano.com;
  connect-src 'self' https://cmp.osano.com;
  img-src 'self' data: https://cmp.osano.com;
  object-src 'none';
  base-uri 'self';

Then trigger:

• first visit
• accept all
• reject all
• open preferences
• save preferences
• revisit with stored consent
• test from different geos if your Osano setup is geo-aware

After that, enforce it.

Mistake 8: Not pinning down the exact Osano domains you use

Developers either go too narrow and miss required endpoints, or too broad and allow half the internet.

Fix

Inventory the actual Osano domains your implementation touches. Keep them explicit. If you need a wildcard, use it because the vendor architecture requires it, not because it is convenient.

Also, keep the policy comments somewhere in source control. Future-you will not remember why a specific domain was added during a consent rollout at 11 PM.

A sane baseline

If I were starting fresh with Osano, I would begin with something like this and then refine it from real traffic:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-{RANDOM}' https://cmp.osano.com;
  style-src 'self' 'unsafe-inline' https://cmp.osano.com;
  img-src 'self' data: https://cmp.osano.com;
  connect-src 'self' https://cmp.osano.com;
  font-src 'self';
  frame-src 'self';
  object-src 'none';
  base-uri 'self';
  form-action 'self';
  frame-ancestors 'none';

Then I would test the full consent lifecycle and only add hosts that are proven necessary.

If you want a starting template for broader CSP patterns, especially nonce-based setups, https://csp-examples.com is handy. For vendor-specific behavior, always verify against Osano’s official documentation and your own network traces, because consent tooling changes over time and CSP cargo-culting is how broken banners end up in production.