Content Security Policies (CSP) are delivered as headers to your users' browser by your web-server and they are used to declare which dynamic resources are allowed to load on your page. By specifying approved sources, you can protect your visitors from a whole range of issues but this does require the site administrator to maintain an up-to-date list of approved sources.
Simply declaring that scripts/styles from only your own domain and that of any tools that you are using are allowed will, in most cases, be sufficient, but for sites using external resources, a set of more complex directives may be necessary. For Feefo, choose one of the following:
Option 1
The simplest option to allow Feefo integration widgets to run within a site implementing a CSP policy is to append the following values to your existing default-src directive:
https://*.feefo.com https://*.vzaar.com data: 'unsafe-eval' 'unsafe-inline'
Option 2
If you would like stricter conditions, append each of the following sets of CSP values to the appropriate directive (shown in italics):
script-src
https://*.feefo.com 'unsafe-eval' 'unsafe-inline';
connect-src
https://*.feefo.com;
img-src
data: https://*.feefo.com https://*.vzaar.com;
font-src
data:;
media-src
https://*.vzaar.com https://*.feefo.com;
Option 3
To apply the strictest CSP conditions but still allow our integration widgets to run, append the following values to the directives (shown in italics):
script-src
https://register.feefo.com https://api.feefo.com/api/javascript/your_Feefo_merchant_identifier 'unsafe-eval' 'unsafe-inline';
connect-src
https://api.feefo.com;
img-src
data: https://api.feefo.com https://www.feefo.com https://view.vzaar.com https://resources.vzaar.com;
font-src
data:;
media-src
https://video.vzaar.com https://view.vzaar.com;
Notes:
When appending values to an existing set of directives, ensure that values are not duplicated.
Vzaar are Feefo's video hosting provider.
For details of your_Feefo_merchant_identifier see Where to find my merchant identifier?