Analytics.js: Add FAQ about CSPs

- add section about whitelisting domains for customers using CSPs 
- this section was previously part of our "Upgrade to AJS 2.0" page, which is no longer readily accessible to customers

Author: sarahrudy

src/connections/sources/catalog/libraries/website/javascript/troubleshooting.md

@@ -203,6 +203,24 @@ Regarding cookies set by [device-mode destinations](/docs/connections/destinatio
 
 The Analytics.js library sets the `context.page.referrer` value from the `window.document.referrer` [property](https://developer.mozilla.org/en-US/docs/Web/API/Document/referrer){:target="_blank"} set in the browser. If you notice unexpected referrer values reaching Segment, check how this value is being set on your website.
 
+## Does Segment support using strict Content Security Policy (CSP) on the page?
+
+If you are using a nonce-based security policy that allows JavaScript to be downloaded from specific locations, then you will need to update the CSP to account for all Segment domains. Therefore, beyond allowing the main `analytics.min.js` script, you should also allow the following paths in your CSP:
+- `https://cdn.segment.com/v1/projects/<WRITE_KEY>/settings`
+- `https://cdn.segment.com/analytics-next/bundles/*`
+- `https://cdn.segment.com/next-integrations/integrations/*`
+
+Your CSP may also require whitelisting approved domains, in which case you'll want to allow the following endpoints: 
+- `api.segment.io`
+- `api.segment.com`
+- `track.segment.com`
+- `cdn.segment.com`
+
+You will also need to modify the Segment script with your `nonce` tag, which should match the value specified in your Content Security Policy.
+
+> info ""
+> Since Segment interacts with several integrations, support surrounding Content Security Policy issues is limited.
+
 ## Known issues:
 
 [Review and contribute to these on GitHub](https://github.com/segmentio/analytics.js/issues).