API ReferenceSupport

Content Security Policies

Suggest Edits

Content Security Policies (CSP) are delivered as headers to your users' browser by your web-server and they are used to declare which dynamic resources are allowed to load on your page. By specifying approved sources, you can protect your visitors from a whole range of issues but this does require the site administrator to maintain an up-to-date list of approved sources.

Simply declaring that scripts/styles from only your own domain and that of any tools that you are using are allowed will, in most cases, be sufficient, but for sites using external resources, a set of more complex directives may be necessary.

For Feefo, choose one of the following:

Option 1

The simplest option to allow Feefo integration widgets to run within a site implementing a CSP policy is to append the following values to your existing default-src directive:

<https://_.feefo.com> <https://_.vzaar.com> data: 'unsafe-eval' 'unsafe-inline'

Option 2

If you would like stricter conditions, append each of the following sets of CSP values to the appropriate directive (shown in italics):

script-src

https\://\*.feefo.com 'unsafe-eval' 'unsafe-inline';

connect-src

https\://\*.feefo.com;

img-src

data: <https://_.feefo.com> <https://_.vzaar.com>;

font-src

data:;

media-src

<https://_.vzaar.com> <https://_.feefo.com>;

Option 3

To apply the strictest CSP conditions but still allow our integration widgets to run, append the following values to the directives (shown in italics):

script-src

<https://register.feefo.com> <https://api.feefo.com/api/javascript/your_Feefo_merchant_identifier> 'unsafe-eval' 'unsafe-inline';

connect-src

<https://api.feefo.com>;

img-src

data: <https://api.feefo.com> <https://www.feefo.com> <https://view.vzaar.com> <https://resources.vzaar.com>;

font-src

data:;

media-src

<https://video.vzaar.com> <https://view.vzaar.com>;

πŸ“˜

Notes:

When appending values to an existing set of directives, ensure that values are not duplicated.

Vzaar are Feefo's video hosting provider.

For details of your_Feefo_merchant_identifier see Where to find my merchant identifier?

Updated 2 months ago