Content Security Policy
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. (Source: Mozilla)
If you are using source allowlisting, use the following for Content Security Policy:
style-src:
'unsafe-inline'
https://fonts.googleapis.com
font-src:
https://fonts.gstatic.com
connect-src:
https://checklist.api.getalvis.com
child-src:
https://onboarding-widget.getalvis.com
script-src:
https://assets.getalvis.com
And, if you need to inject the script separately instead of including it in one of your scripts, you'll need to use nonce
. (i.e. script-src 'nonce-rAnd0m'
and <script nonce="rAnd0m">
...)
If you cannot use the nonce
method, you can only use the hash
method.
1. Go to Dashboard, click the top right corner and click Install, then copy the installation script.
2. Paste into the place where you want to put the script. Then copy exactly what is between <script>
and </script>
, and put it into https://report-uri.com/home/hash to generate the hash.
3. Add the generated hash
to script-src
.
Also checkout how to use Intercom with Content Security Policy.
Last updated
Was this helpful?