Content Security Policies (CSP) are delivered as headers to your users' browser by your web-server and they are used to declare which dynamic resources are allowed to load on your page. By specifying approved sources, you can protect your visitors from a whole range of issues but this does require the site administrator to maintain an up-to-date list of approved sources.
Simply declaring that scripts/styles from only your own domain and that of any tools that you are using are allowed will, in most cases, be sufficient, but for sites using external resources, more complex rules may be necessary. For Feefo, choose one of the following:
The simplest option to allow Feefo integration widgets to run within a site implementing a CSP policy is to append the following rules to your existing default-src configuration:
https://*.feefo.com https://*.vzaar.com data: 'unsafe-eval' 'unsafe-inline'
If you would like stricter conditions, append each of the following sets of CSP rules to the appropriate configuration (shown in italics):
https://*.feefo.com 'unsafe-eval' 'unsafe-inline';
data: https://*.feefo.com https://*.vzaar.com;
To apply the strictest CSP conditions but still allow our integration widgets to run, append the following rules to the configurations (shown in italics):
data: https://api.feefo.com https://www.feefo.com https://view.vzaar.com https://resources.vzaar.com;
- Vzaar are Feefo's video hosting provider.
- For details of your_Feefo_merchant_identifier see Where to find my merchant identifier?