Content Security Policies
Content Security Policies (CSP) are delivered as headers to your users' browser by your web-server and they are used to declare which dynamic resources are allowed to load on your page. By specifying approved sources, you can protect your visitors from a whole range of issues but this does require the site administrator to maintain an up-to-date list of approved sources.
Simply declaring that scripts/styles from only your own domain and that of any tools that you are using are allowed will, in most cases, be sufficient, but for sites using external resources, a set of more complex directives may be necessary.
For Feefo, choose one of the following:
Option 1
The simplest option to allow Feefo integration widgets to run within a site implementing a CSP policy is to append the following values to your existing default-src directive:
<https://_.feefo.com> <https://_.vzaar.com> data: 'unsafe-eval' 'unsafe-inline'
Option 2
If you would like stricter conditions, append each of the following sets of CSP values to the appropriate directive (shown in italics):
script-src
https\://\*.feefo.com 'unsafe-eval' 'unsafe-inline';
connect-src
https\://\*.feefo.com;
img-src
data: <https://_.feefo.com> <https://_.vzaar.com>;
font-src
data:;
media-src
<https://_.vzaar.com> <https://_.feefo.com>;
Option 3
To apply the strictest CSP conditions but still allow our integration widgets to run, append the following values to the directives (shown in italics):
script-src
<https://register.feefo.com> <https://api.feefo.com/api/javascript/your_Feefo_merchant_identifier> 'unsafe-eval' 'unsafe-inline';
connect-src
<https://api.feefo.com>;
img-src
data: <https://api.feefo.com> <https://www.feefo.com> <https://view.vzaar.com> <https://resources.vzaar.com>;
font-src
data:;
media-src
<https://video.vzaar.com> <https://view.vzaar.com>;
Notes:
When appending values to an existing set of directives, ensure that values are not duplicated.
Vzaar are Feefo's video hosting provider.
For details of your_Feefo_merchant_identifier see Where to find my merchant identifier?
Updated 10 months ago