Content Security Policies

Content Security Policies let you have fine-grained control on what content your site can serve which helps you avoid XSS attacks.

Base Rules

If you have a content security policy in place, in order for Browsee to function you will need to allow the following rules:

script-src: ...
connect-src: ... https://* wss://

In addition to this if you are using our notifications like Feedback forms, Surveys, or notification bars you will also need to augment the following rules:

img-src: ...
style-src: ... 'unsafe-inline'

Inline Snippet

Since we use an inline Javascript snippet, which allows you to make API calls instantly without having to wait for our asynchronous Javascript file to load we also need it to execute inline.

The best way to allow it is using a hash to the script source of your snippet.

We can't tell you the hash value here, as it depends on your snippet and even the formatting of how you place the snippet (even spaces and new line characters can change the hash value).

However, the best way to find it is, when you add our snippet to your site, you will see an error like this in your console.

Refused to execute inline script because it violates the following Content
Security Policy directive: "script-src 'self'". Either the 'unsafe-inline'
keyword, a hash ('sha256-LIWxvaPcpStKaib3stZibHkJmqC6mzhCozh5zG32eP4='), or a
nonce ('nonce-...') is required to enable inline execution.

When you see this error, you can just use sha256-LIWxvaPcpStKaib3stZibHkJmqC6mzhCozh5zG32eP4= , in your script-src directive to allow its execution. This should complete everything you need to do, to allow Browsee to run with your CSP.

You can also alternatively add unsafe-inline in your script-src to allow our inline snippet. However, we don't recommend it as along with ours it allows any inline Javascript to execute.

If you want to find the hash value without having to run the server once. You can compute it as

echo -n "Everything between <script> tags in your snippet" | openssl dgst -sha256 -binary | openssl enc -base64

Remember to not include the <script> tags while computing this. In practice, we have found just copying the value from the console error more convenient.

Last updated