am experiencing a persistent Content Security Policy (CSP) violation on my Vercel-hosted site, zenvestt.com, which is preventing services like Tawk.to from loading correctly.
I have updated my vercel.json file with the correct CSP directives to allow all the necessary domains, including 'unsafe-inline', blob:, https://va.tawk.to, https://embed.tawk.to, and others.
Despite performing multiple deployments and a forced redeploy with the build cache disabled, the browser console still shows that a stale CSP is being applied. This issue persists across multiple devices, browsers, and even in incognito mode.
The errors being reported are consistently:
-
Fetch API cannot load https://va.tawk.to/... Refused to connect because it violates the document's Content Security Policy. -
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ...".
I have confirmed with curl that Vercel is serving the correct Content-Security-Policy header.