Browsee
  • Getting Started
    • How to use Browsee on Shopify Store?
    • Shopify Stores
  • Integration
    • Snippet Integration
      • Direct JS Integration
      • GTM Integration
      • SDK Integration
      • Wordpress Integration
      • Shopify Integration
      • Troubleshooting Integration
    • Managing Recordings
    • API Calls
      • Log Event Call
      • Identify Call
      • Session Url
      • Generate Secret Key
      • Data Export API
      • Track HTTP API
      • Identify HTTP API
  • Understand Your Users
    • Session Search
      • Date Range
      • User Actions
      • User Attributes
      • Session Tags
        • Network Errors and Slowness
        • Javascript (JS) Errors
        • Frustration Clicks or Rage Clicks
        • Broken Links
        • U Turn
        • Searching For Something
        • Going in Circles
        • High Engagement
        • High Input Time
        • Repeat Pages
        • Repeat Events
      • Regular Expression Search
    • Segments
    • Segment Analytics and Alerts
    • Subscribe to a Segment
    • Configure Dashboard
    • Session Replays - Save, Share, and Delete
    • User Experience Issues
  • Heatmaps
    • Heatmaps
    • Create Heatmaps
    • Compare Heatmaps Across Date Ranges
    • Segmentation in Heatmaps
    • Heatmap Sessions
    • Dynamic Heatmaps
  • Funnels
    • Creating Funnels
    • Funnel Analytics and Alerts
  • FAQ
    • Frequently Asked Questions
    • FAQ - Browsee Installation
    • FAQ - Account and Project
    • FAQ - Session Recordings
    • FAQ - Heatmaps
    • FAQ - Payment & Plans
  • Project
    • Add User
    • Add Project
    • Setting Up SSO Login
    • Third Party Integrations
    • Content Security Policies
  • Plans and Billing
    • Recording and Sampling
  • Data Privacy
    • Privacy
    • Do Not Track Settings
    • Link Browsee with your Privacy Policy
    • GDPR Compliance
  • Feedback & Popups
    • Creating Notifications
    • When to Show
    • Where to Show
    • Advanced Targeting
    • Feedback Widget
    • Integrations
  • Request A Feature
    • Request a New Feature
Powered by GitBook
On this page
  • Base Rules
  • Inline Snippet

Was this helpful?

  1. Project

Content Security Policies

Content Security Policies let you have fine-grained control on what content your site can serve which helps you avoid XSS attacks.

Base Rules

If you have a content security policy in place, in order for Browsee to function you will need to allow the following rules:

script-src: ... https://cdn.browsee.io
connect-src: ... https://*.browsee.io wss://session.browsee.io

In addition to this if you are using our notifications like Feedback forms, Surveys, or notification bars you will also need to augment the following rules:

img-src: ... https://static.browsee.io
style-src: ... https://static.browsee.io 'unsafe-inline'

Inline Snippet

Since we use an inline Javascript snippet, which allows you to make API calls instantly without having to wait for our asynchronous Javascript file to load we also need it to execute inline.

The best way to allow it is using a hash to the script source of your snippet.

We can't tell you the hash value here, as it depends on your snippet and even the formatting of how you place the snippet (even spaces and new line characters can change the hash value).

However, the best way to find it is, when you add our snippet to your site, you will see an error like this in your console.

Refused to execute inline script because it violates the following Content
Security Policy directive: "script-src 'self'". Either the 'unsafe-inline'
keyword, a hash ('sha256-LIWxvaPcpStKaib3stZibHkJmqC6mzhCozh5zG32eP4='), or a
nonce ('nonce-...') is required to enable inline execution.

When you see this error, you can just use sha256-LIWxvaPcpStKaib3stZibHkJmqC6mzhCozh5zG32eP4= , in your script-src directive to allow its execution. This should complete everything you need to do, to allow Browsee to run with your CSP.

You can also alternatively add unsafe-inline in your script-src to allow our inline snippet. However, we don't recommend it as along with ours it allows any inline Javascript to execute.

If you want to find the hash value without having to run the server once. You can compute it as

echo -n "Everything between <script> tags in your snippet" | openssl dgst -sha256 -binary | openssl enc -base64

Remember to not include the <script> tags while computing this. In practice, we have found just copying the value from the console error more convenient.

PreviousThird Party IntegrationsNextRecording and Sampling

Last updated 1 year ago

Was this helpful?