We are offering the possibility of using Usersnap with Content Security Policy (CSP), which enhances certain security issues.
Please follow the instructions on this page to use Usersnap with CSP.
For activating CSP with the usage of a nonce, a random hash (nonce) has to be defined.
This nonce is then used to authenticate scripts.
To enable CSP in the browser the
Content-Security-Policy header has to be set. In it, different permissions of different URLs or nonce hashes are set.
Content-Security-Policy: " default-src 'self'; script-src *.usersnap.com 'YOUR-NONCE' 'self'; connect-src *.usersnap.com 'YOUR-NONCE' 'self'; style-src *.usersnap.com *.googleapis.com 'YOUR-NONCE'; img-src *.usersnap.com; font-src *.usersnap.com *.gstatic.com; "
To enable Usersnap with CSP, the nonce which is used for Usersnap needs the following permissions:
Also, the domain
*.usersnap.com needs permissions:
Since we are using Google fonts,
*.googleapis.com needs the
style-src permission, and
*.gstatic.com needs the
font-src permission. This is only needed if you configured the widget to use any other font than our default font "Inter".
Finally, for activating the widget itself, the nonce hash must be added as an attribute to the embedded script tag and as a parameter to the script source:
<script nonce="YOUR-NONCE" src="https://widget.usersnap.com/load/YOUR-API-KEY?onload=onUsersnapCXLoad&n=YOUR-NONCE" async></script>
Updated 24 days ago