Normally the CSP is delivered as a header to your users' browser by your web-server and for many websites, it simply declares that only scripts/styles from your own domain and that of any tools that you are using is allowed. This can however become more complicated when complex setups are in play.
If you are using a default CSP then adding the below to your default-src rules should be sufficient.
default-src ... *.mouseflow.com 'unsafe-eval';
If you want stricter restrictions we would recommend the setup below to ensure that your policies will be more future-proof as we expand our services. Here's an example of what that may look like:
img-src ... *.mouseflow.com;
script-src ... *.mouseflow.com 'unsafe-eval' 'unsafe-inline';
connect-src ... *.mouseflow.com;
frame-src ... *.mouseflow.com;
child-src ... *.mouseflow.com;
font-src ... *.mouseflow.com;
The '...' in the examples above designate already existing content in your CSP